MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 144246e0e99bb56dff2c747fd7301d1c691a159819595f35a223b79251b03b30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 144246e0e99bb56dff2c747fd7301d1c691a159819595f35a223b79251b03b30
SHA3-384 hash: 1f65bed6f29950d11f2b4a397e52446c243d27d526d731747e7619e880a31703676e195b444d57710e7e154380ee9233
SHA1 hash: a987bf26fb0b0c8b6dab791c787a1a7b6845b02c
MD5 hash: 0f01fcf9a6a52bf8fed64778ff2d1c13
humanhash: harry-emma-steak-foxtrot
File name:SecuriteInfo.com.Win64.MalwareX-gen.23643.23515
Download: download sample
Signature MassLogger
Create hunting rule
File size:2'157'568 bytes
First seen:2025-05-30 20:27:11 UTC
Last seen:2025-05-30 21:32:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:bEIcTYeSH3eCCdLd7nEwBTElmrcKbQLm8O2u8d2:QQeSXeR5d7nEUg0rYmr2u
Threatray 6 similar samples on MalwareBazaar
TLSH T1F2A5014963FC4A44F8BFAB7185B506214BB1BC479AB3E36E55C880EE0E72781CD16763
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
570
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
bomb.exe
Verdict:
Malicious activity
Analysis date:
2025-05-30 19:50:17 UTC
Tags:
hausbomber loader httpdebugger tool lumma stealer payload ta558 apt stegocampaign reverseloader telegram python rat asyncrat remote github auto generic screenconnect braodo ransomware wannacry evasion snake keylogger miner coinminer bittorrent mozi botnet ims-api arch-doc valley ftp possible-phishing babar rmm-tool rdp loki formbook agenttesla guloader proxyware ghostsocks dcrat netsupport rustystealer amadey xmrig phorpiex arch-exec gcleaner
Link:
https://app.any.run/tasks/8f10d22f-4ec4-4a3b-bae4-bcaa2fc8435a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6460/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.23643.23515.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683a1709acf88f5815e93c6f
Tags:
keylog remo word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet zero
Link:
https://www.filescan.io/uploads/683a152fe336a33801e0e682/reports/d51b5e13-98c5-4a59-a426-677f7dba125c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/144246e0e99bb56dff2c747fd7301d1c691a159819595f35a223b79251b03b30
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/616e7e0c-7cc8-4c5a-a1fa-d9ccb1891926
Result
Threat name:
DarkTortilla, MSIL Logger, MassLogger RA
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702679
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected DarkTortilla Crypter
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702679 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 17 reallyfreegeoip.org 2->17 19 api.telegram.org 2->19 21 2 other IPs or domains 2->21 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 39 6 other signatures 2->39 7 SecuriteInfo.com.Win64.MalwareX-gen.23643.23515.exe 3 2->7         started        signatures3 35 Tries to detect the country of the analysis system (by using the IP) 17->35 37 Uses the Telegram API (likely for C&C communication) 19->37 process4 file5 15 SecuriteInfo.com.W...23643.23515.exe.log, CSV 7->15 dropped 41 Modifies the context of a thread in another process (thread injection) 7->41 43 Tries to delay execution (extensive OutputDebugStringW loop) 7->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->45 47 2 other signatures 7->47 11 SecuriteInfo.com.Win64.MalwareX-gen.23643.23515.exe 14 22 7->11         started        signatures6 process7 dnsIp8 23 api.telegram.org 149.154.167.220, 443, 49697, 49699 TELEGRAMRU United Kingdom 11->23 25 checkip.dyndns.com 193.122.130.0, 49695, 49698, 49700 ORACLE-BMC-31898US United States 11->25 27 reallyfreegeoip.org 104.21.112.1, 443, 49696 CLOUDFLARENETUS United States 11->27 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 signatures9
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/144246e0e99bb56dff2c747fd7301d1c691a159819595f35a223b79251b03b30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/144246e0e99bb56dff2c747fd7301d1c691a159819595f35a223b79251b03b30/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-28 22:23:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
10
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crbenyhjto2w37zmor75oma5drurufmydfmv6nnceo3zeunqhmya._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
144246e0e99bb56dff2c747fd7301d1c691a159819595f35a223b79251b03b30
MassLogger
6f6e7fe8d9b44b9d2a89aa045b00059023487d286dd164ddddf38d0916366700
MassLogger
9f91169f8332b4dea5a6495604fafdb6330c79af0c5b902fbe6eaae9b1692595
MassLogger
error
MassLogger
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla family:masslogger collection crypter loader spyware stealer
Link:
https://tria.ge/reports/250530-y9h88sxls6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Darktortilla
Darktortilla family
Detects Darktortilla crypter.
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7359330420:AAF2CgDtP_9u7E-h3cGtGRmQzy609to9VqU/sendMessage?chat_id=7360506093
Verdict:
Suspicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/b539aba6-5a57-45d4-a0da-5e773f926d97
Unpacked files
SH256 hash:
144246e0e99bb56dff2c747fd7301d1c691a159819595f35a223b79251b03b30
MD5 hash:
0f01fcf9a6a52bf8fed64778ff2d1c13
SHA1 hash:
a987bf26fb0b0c8b6dab791c787a1a7b6845b02c
Link:
https://www.unpac.me/results/bc29b749-73ee-4bd9-b5d5-6625f23e8313/
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/144246e0e99b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 144246e0e99bb56dff2c747fd7301d1c691a159819595f35a223b79251b03b30

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3555677/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6460/

Comments