MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29ea2e83d8bb49b7b646895e04c08bf60760a79cec2d761ccbee7704216323cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29ea2e83d8bb49b7b646895e04c08bf60760a79cec2d761ccbee7704216323cf
SHA3-384 hash: c9500af533c5f22a8da5369389d20ddbdd2f4a44a1f10025430ac821c2cc81d91afe7f2edbece6e4f1ddb6d3bc82b18c
SHA1 hash: b9200cb7cbf75f8f399ec7752a7dfaef5f3acf12
MD5 hash: d36de44bf023570b2f83fde6e95842dd
humanhash: whiskey-north-winter-wisconsin
File name:DHLINV1708023 - 1301512300.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'022'464 bytes
First seen:2023-08-17 18:23:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:g2iNsXDl+CPLnid2sxF+pAz127hoc5etv4GuHkkz0FxycEgh2uWM+kz:g1g7LQqdRQAHkkzkTh2uB+kz
Threatray 16 similar samples on MalwareBazaar
TLSH T1AB251211665297B9C27C83F2308699A13FF81E1FD069EE512BE575CB3539BB042CB263
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DHL exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHLINV1708023 - 1301512300.exe
Verdict:
Malicious activity
Analysis date:
2023-08-17 19:08:53 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/c039305c-84a1-4cdc-b4f9-a58395c65d91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
MassLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443302/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/29ea2e83d8bb49b7b646895e04c08bf60760a79cec2d761ccbee7704216323cf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d67de4d-bbc4-49d2-97b9-24fe9eacdad4
Result
Threat name:
MassLogger RAT, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1293158
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29ea2e83d8bb49b7b646895e04c08bf60760a79cec2d761ccbee7704216323cf/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-17 11:33:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhvc5a6yxne3pnsgrfpajqel6ydwbj445qwxmhgl5z3qiildephq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0e730ca24e30d7fb72181befa3b88400a62f321be94db3e2ac4883fa4efa5ad7
MassLogger
40b850fee63af78a35cd4f52c27b37d62879df299fb83c4f639d5efb9af1c283
MassLogger
4b5393731fe1fc36d0e188b5e38defd0ba84a865efdd9e944065c1831a412f33
MassLogger
7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc
MassLogger
96e45500db445f50f255908635dc793bc896a0d919f989de9080ceb1a3bd74d9
MassLogger
b8bfa96db841cb95723f5f8645e58d69ca63ecab0cdd50d08ebeb864ec66ae61
MassLogger
e7f0261f170ad022b44a31b65a4c61adffb2cbc85ec64487c3875fd8a6c3cc5e
MassLogger
f0e3d1d1dd4b0b69a99c24ce4217194e9cbbb4f1efd8edcb8831f6e889c9b5cd
MassLogger
+ 6 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/230817-w12ccadf2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes itself
MassLogger
MassLogger Main payload
Unpacked files
SH256 hash:
62623b990d5a28f70e99f75c90cd2ce97ab59b88a99d81f82f6a900b92a51a34
MD5 hash:
5b7ab1b7649b5cc687e5db633799d905
SHA1 hash:
ed0283947401af30b9446ef97915b093cf8d30fc
Link:
https://www.unpac.me/results/d607eafa-74a3-4b8a-984b-089ffbb593e8/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/d607eafa-74a3-4b8a-984b-089ffbb593e8/
SH256 hash:
7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc
MD5 hash:
3c05e9000f006c7f1549153e7b54e74c
SHA1 hash:
b6ca7834020470508a9c205d57621d2a2d025d02
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/d607eafa-74a3-4b8a-984b-089ffbb593e8/
Parent samples :
0d98cc703438cff3cc32a2bd01032c9234cae7c6e4c375047d0260b5d0b5e783
05e3a40f74192a66cd31fc9b80043e0568e55759b24a7e041448b7061daf3b93
e7f0261f170ad022b44a31b65a4c61adffb2cbc85ec64487c3875fd8a6c3cc5e
a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf
941401b8cc0345e99b5366597242c44f064794bd238938d647b0bc3ffa99277e
96e45500db445f50f255908635dc793bc896a0d919f989de9080ceb1a3bd74d9
7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc
40b850fee63af78a35cd4f52c27b37d62879df299fb83c4f639d5efb9af1c283
7bfa8287efe94726b341443f10b3fc7aeb71d32f3138bec5557a401cc0cbbe15
f0e3d1d1dd4b0b69a99c24ce4217194e9cbbb4f1efd8edcb8831f6e889c9b5cd
29ea2e83d8bb49b7b646895e04c08bf60760a79cec2d761ccbee7704216323cf
SH256 hash:
b26a7e88c2fc5a6dbf3e1f5d8ac59c4579b3b9047f462c5cb7ee79548fa18da9
MD5 hash:
06dc1333af7361fb9ebebe5c4dbe58e4
SHA1 hash:
1adadf881904c5370e96c0a566085cf3c83ca8d0
Link:
https://www.unpac.me/results/d607eafa-74a3-4b8a-984b-089ffbb593e8/
SH256 hash:
29ea2e83d8bb49b7b646895e04c08bf60760a79cec2d761ccbee7704216323cf
MD5 hash:
d36de44bf023570b2f83fde6e95842dd
SHA1 hash:
b9200cb7cbf75f8f399ec7752a7dfaef5f3acf12
Link:
https://www.unpac.me/results/d607eafa-74a3-4b8a-984b-089ffbb593e8/
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29ea2e83d8bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/29ea2e83d8bb49b7b646895e04c08bf60760a79cec2d761ccbee7704216323cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 29ea2e83d8bb49b7b646895e04c08bf60760a79cec2d761ccbee7704216323cf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/443302/

Comments