MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a
SHA3-384 hash: 9fcc1b63b099d477743abc161da701a59d7e39d96d88459dc7f32d1b42727ed4b4c2510a46dd16e0d6bb7315a2266860
SHA1 hash: 2565dd18ccab77b6639463974aa7f745462fd060
MD5 hash: c927f640c00b655db0d1104a6475e105
humanhash: magnesium-one-uniform-uniform
File name:新開新PO 01.2025-帳號:新開.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:669'696 bytes
First seen:2025-03-31 07:14:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:QWlZuIk4nIiTfDle1NLAvkgNDfhJrYco0qxkxY33y:OIk+Ishe1KxD5WT3
Threatray 4'587 similar samples on MalwareBazaar
TLSH T1D6E402ACE616D413CE8297744A71F6B916694EEDE401D3134FED6EBFF8768261C082C2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon b2b296b2b29696b2 (1 x AgentTesla, 1 x RemcosRAT, 1 x SnakeKeylogger)
Reporter lowmal3
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
新開新PO 01.2025-帳號:新開.exe
Verdict:
No threats detected
Analysis date:
2025-03-31 07:44:24 UTC
Tags:
amsi-bypass
Link:
https://app.any.run/tasks/5c951b16-6df5-4b5a-90e8-9c0a2e40f7ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.29546.6805.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ea4472855e5ec5240ab1e7
Tags:
micro smtp msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46a97505-f9a7-4495-b9ed-54e9e5754145
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1652574
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652574 Sample: #U65b0#U958b#U65b0PO 01.202... Startdate: 31/03/2025 Architecture: WINDOWS Score: 100 32 reallyfreegeoip.org 2->32 34 checkip.dyndns.org 2->34 36 checkip.dyndns.com 2->36 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 54 8 other signatures 2->54 8 #U65b0#U958b#U65b0PO 01.2025-#U5e33#U865f#Uff1a#U65b0#U958b.exe 3 2->8         started        signatures3 52 Tries to detect the country of the analysis system (by using the IP) 32->52 process4 file5 22 #U65b0#U958b#U65b0...U65b0#U958b.exe.log, ASCII 8->22 dropped 11 #U65b0#U958b#U65b0PO 01.2025-#U5e33#U865f#Uff1a#U65b0#U958b.exe 3 8->11         started        14 #U65b0#U958b#U65b0PO 01.2025-#U5e33#U865f#Uff1a#U65b0#U958b.exe 8->14         started        process6 file7 24 C:\Users\user\AppData\Local\Temp\newbin.exe, PE32 11->24 dropped 26 C:\Users\user\AppData\Local\Temp\brave.exe, PE32 11->26 dropped 16 brave.exe 14 2 11->16         started        20 newbin.exe 15 2 11->20         started        process8 dnsIp9 28 checkip.dyndns.com 132.226.8.169, 49720, 49721, 80 UTMEMUS United States 16->28 38 Antivirus detection for dropped file 16->38 40 Multi AV Scanner detection for dropped file 16->40 42 Tries to steal Mail credentials (via file / registry access) 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 30 reallyfreegeoip.org 104.21.80.1, 443, 49723, 49724 CLOUDFLARENETUS United States 20->30 signatures10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-31 06:37:15 UTC
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gt45zj4tq5jhariynf3fseospqyclr67bar52hgbwsypeaukoiva._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
212ecd5d051954ee43b7da3c5e998dffac460d74ac9ca99607e399015d3067c4
MassLogger
34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a
MassLogger
470b09e386f5cd8befb4796af1aec03895b755d4219d6b9fc14e41ae5a400e23
MassLogger
8c92b39496a1f938d9c16ad3e1a7948b48923fd028e23a422c5bf8f0b7e1138b
MassLogger
a4d81a3c0db4ed8c4a90e61d123577548ec0334cc071671cd6cdb23fc450ae2b
MassLogger
bdc569c6b3a020645241982817604473e9b9460b669f81ce1576735627a793af
MassLogger
error
MassLogger
+ 4'577 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250331-h3cvwaxnz3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/24b757cb-2292-412a-bae3-f231c9a35650
Unpacked files
SH256 hash:
34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a
MD5 hash:
c927f640c00b655db0d1104a6475e105
SHA1 hash:
2565dd18ccab77b6639463974aa7f745462fd060
Link:
https://www.unpac.me/results/096a342b-e3b1-4143-9640-b817b1bdc01f/
SH256 hash:
1b7f55de83b97ce1dbedee88c9457ccf265e295ee5acad2201c029bc98a5e0d8
MD5 hash:
1383cc4f54abf582182c0d3225b819d5
SHA1 hash:
1c6cd699bd2fe5cdf5f696f2211c80d0445a9aec
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/096a342b-e3b1-4143-9640-b817b1bdc01f/
Parent samples :
34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a
e6a379ed6367dccc3081719bb235483f1200de8668a8d5d68beafb08856e71ba
7ac2afbdd0bdfed4481c49171a5c4e814a3ad878b8887fa2594a011620e49b3d
34247d28fcf043370191c1d262f69a4da9665736aa9a5de5ff03fa6a64c71b06
SH256 hash:
f59dd6d4f1b23f1e86aa37fdf080eedfcfab40b0ca1069a2fea49001ac633036
MD5 hash:
bf07c0c5058b8eefe44a305a1b8edf28
SHA1 hash:
37eafb0eb400412d94e09f50b69f2fe87d7f07b1
Link:
https://www.unpac.me/results/096a342b-e3b1-4143-9640-b817b1bdc01f/
SH256 hash:
65f567012665c14362b89c5b7eb8ef2537085b4a2ed073f048304ce2e0e108da
MD5 hash:
e0609abeff8a8186c7286f71079587a8
SHA1 hash:
8725e3ebe1cb162e4f8a05f592c0348dd5027c4b
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/096a342b-e3b1-4143-9640-b817b1bdc01f/
Parent samples :
34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a
e6a379ed6367dccc3081719bb235483f1200de8668a8d5d68beafb08856e71ba
7ac2afbdd0bdfed4481c49171a5c4e814a3ad878b8887fa2594a011620e49b3d
34247d28fcf043370191c1d262f69a4da9665736aa9a5de5ff03fa6a64c71b06
SH256 hash:
5e4616562b5fae35ce46386dc64511ce92adbeed52e64fbbb1102f24b17cec13
MD5 hash:
a06393997d3a91f0c91648386ce12a71
SHA1 hash:
f4c6adefc2985e859772c69e95449e614926356a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/096a342b-e3b1-4143-9640-b817b1bdc01f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 34f9dca793875270451869765911d27c3025c7df0823dd1cc1b4b0f2028a722a

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments