MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 431062b66c0d6b55b34049aa675cbd69534b1680cf60578f57cebacf9d4d5bb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	431062b66c0d6b55b34049aa675cbd69534b1680cf60578f57cebacf9d4d5bb9
SHA3-384 hash:	59bc8a563655b88dc1c5e97efd4414ddf0da5552b8ec81603405f629e9401e9297e4f5454467d271f151f96476d23820
SHA1 hash:	0939915dcc709417e15c35b5dd7989aadcba29cb
MD5 hash:	daf5688d23e63b9278a076a6e85af77b
humanhash:	table-zulu-wolfram-thirteen
File name:	WST83770OK-PLXE78839FHI-MFTYU348940.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	794'632 bytes
First seen:	2025-01-29 14:03:27 UTC
Last seen:	2025-02-07 14:24:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:PzSggsi6RjnMKT1VhlksZi0X3s7t0SnlNOsAq9nvmpZ96uS0Jkr4sIrMKflNlkR:Pz9RMEVrXi0M7t0SzOsxvmfSpIrhflNY
TLSH	T180F48EC02BE46749CD3E6634A855EC7013713E29B471FAE66ADCB35336B92118D29F0E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	8e49656555009595 (2 x AgentTesla, 1 x MassLogger)
Reporter	threatcat_ch
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

502

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.14023.20716.UNOFFICIAL

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=679a36d439cd5095f12b4e67

Tags:

injection snake virus msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/679a355618ab66742bb2e9ec/reports/d2566950-6f36-4da3-a49b-647869a6c50c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/431062b66c0d6b55b34049aa675cbd69534b1680cf60578f57cebacf9d4d5bb9

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2096e5e9-b434-44c5-98d4-9eed148294ba

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1602191

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/431062b66c0d6b55b34049aa675cbd69534b1680cf60578f57cebacf9d4d5bb9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/431062b66c0d6b55b34049aa675cbd69534b1680cf60578f57cebacf9d4d5bb9/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2025-01-29 12:08:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 22 (86.36%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=imigfntmbvvvlm2ajgvgoxf5nfjuwfuaz5qfpd2xz25m7hknlo4q._file

Verdict:

malicious

Label(s):

snakekeylogger

unknown_loader_037

Similar samples:

error

MassLogger

Result

Malware family:

n/a

Score:

6/10

Tags:

collection discovery

Link:

https://tria.ge/reports/250129-rc9llazpcx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Verdict:

Malicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/97448517-6b41-47e1-a9f1-6aa29fced81d

Unpacked files

SH256 hash:

0b3949e224298a76faef3053d268111928a658dc5bea4dff9b1ea18e73524eff

MD5 hash:

276930025addec1f45c8882ecc45665e

SHA1 hash:

ebc20edea8b8b17e267ec3670baefdd87b815a41

Detections:

win_masslogger_w0

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/874bc348-e2b9-405c-aaf9-1870e26afdca/

SH256 hash:

2d2a5561a0471e87d35c207ff206b04c8a47bd4a97767554b3b54ba0e0c60d1e

MD5 hash:

4d2556428476811596294f2b9a7d1ac8

SHA1 hash:

a598a97a5a28dfe49ba05aeeeeb248c4b594bf7d

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/874bc348-e2b9-405c-aaf9-1870e26afdca/

SH256 hash:

5f7925fadc546c93fb006f23940cf580802417139d6544bc63a821740d697c9d

MD5 hash:

83ffe9af0569078e80e6aba4d4b88809

SHA1 hash:

03ec5cff9dacf99cc1d10953f9f95306a84ac4d3

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/874bc348-e2b9-405c-aaf9-1870e26afdca/

SH256 hash:

431062b66c0d6b55b34049aa675cbd69534b1680cf60578f57cebacf9d4d5bb9

MD5 hash:

daf5688d23e63b9278a076a6e85af77b

SHA1 hash:

0939915dcc709417e15c35b5dd7989aadcba29cb

Link:

https://www.unpac.me/results/874bc348-e2b9-405c-aaf9-1870e26afdca/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/431062b66c0d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe 431062b66c0d6b55b34049aa675cbd69534b1680cf60578f57cebacf9d4d5bb9

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample