MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eff1985a43a5307ced01808eea029ce6c295e54381ec993080c013696e782fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2eff1985a43a5307ced01808eea029ce6c295e54381ec993080c013696e782fb
SHA3-384 hash: 765ceb5aba2a9ca0d5c2777d291ebce1493fb73f01706e7d20f18005418e6b21bcf5cad54df0e3fcdee3941c3ebd754e
SHA1 hash: fb1d253d4814e007c2590dc8d23979202a493330
MD5 hash: e3891973bdeca967457a89dcef3027b2
humanhash: may-oregon-diet-eight
File name:QUOTATION_FEBQUOTE24022015.tar
Download: download sample
Signature MassLogger
Create hunting rule
File size:718'336 bytes
First seen:2025-02-25 13:41:12 UTC
Last seen:Never
File type: tar
MIME type:application/x-tar
ssdeep 12288:wdOWcKBe9yT2+gG7uYcia9uT28aYr9ROCj7DKwff+ZiV55VCn7KcGYTMyT2:eNBeSfR9SQKwO0V5vC7KcGkR
TLSH T162E4E06C9A89C812CC6E63FC0960E1B4233D5DE6D546DB0B6ACCADFF7E527115A182C3
TrID 62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3)
37.0% (.TAR) TAR - Tape ARchive (file) (10/3)
Magika tar
Reporter NDA0E
Tags:geo GRC MassLogger tar

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.23414.29720.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bdc8c028ab76d43a5d0db0
Tags:
infosteal shell micro sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected stealer vbnet
Link:
https://www.filescan.io/uploads/67bdc8b960f4b4f0724c31ed/reports/5aa5198c-7f15-4c72-aea2-b1135aa98fc7/overview
Verdict:
Suspicious
Labled as:
Mal/DrodTar
Link:
https://www.hybrid-analysis.com/sample/2eff1985a43a5307ced01808eea029ce6c295e54381ec993080c013696e782fb
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
98%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/2eff1985a43a5307ced01808eea029ce6c295e54381ec993080c013696e782fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2eff1985a43a5307ced01808eea029ce6c295e54381ec993080c013696e782fb/
Threat name:
ByteCode-MSIL.Infostealer.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2025-02-25 11:40:53 UTC
File Type:
Binary (Archive)
Extracted files:
18
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f37rtbnehjjqptwqdaeo5ibjzzwcsxsuhapmteyibqatnfxhql5q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution spyware stealer
Link:
https://tria.ge/reports/250225-q5fcsayjz8/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2eff1985a43a5307ced01808eea029ce6c295e54381ec993080c013696e782fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

tar 2eff1985a43a5307ced01808eea029ce6c295e54381ec993080c013696e782fb

(this sample)

MassLogger

Executable exe 3dfd6a18e81bb4edcd59cf466115dc0a1edffe7bdac4bd093e0c74e61c2a720e

  
Dropping
SHA256 3dfd6a18e81bb4edcd59cf466115dc0a1edffe7bdac4bd093e0c74e61c2a720e
  
Delivery method
Distributed via e-mail attachment
  
Dropping
MD5 c0cbd107ee8f323282ef1dc0474bb627

Comments