MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd
SHA3-384 hash: b565a2fd159f38c600fedcf5d3a8ffd3aab25c901dccf8e4542c8263070310cb18bfd4d402d47f7369d6b85516fa7fa9
SHA1 hash: 54d484d170f54f420d82a475b9e6735cdffa5f85
MD5 hash: 43d515ce2b62bad63485ed46844f643a
humanhash: pennsylvania-california-lion-south
File name:HUSDGHCE23ED.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:959'488 bytes
First seen:2024-12-19 09:26:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:mJVcWy9iv8r2FHqbawOGHtCW8OGSJwnpeWHm:mJVcWy9avOGSEeWH
Threatray 1'056 similar samples on MalwareBazaar
TLSH T13D158C1677FC5E1ED2AE477BF4B4081A87F5F902B362EA0D6810B76D0C93B8149513AB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter TeamDreier
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HUSDGHCE23ED.exe
Verdict:
Malicious activity
Analysis date:
2024-12-19 09:47:02 UTC
Tags:
evasion snake keylogger stealer ims-api generic
Link:
https://app.any.run/tasks/d9e3b467-0741-495e-889f-edcc4ebd0c7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.RatNET.2.30617.18255.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6763e6ee653a8698dfdaeb25
Tags:
backdoor virus msil
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6763e6f021bbe1761ca6a631/reports/86b8b3cf-34e2-47c8-83ec-f62fb17f7b34/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bff3e5df-fa47-47e9-972f-613bafc80938
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1578148
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected MassLogger RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-12-16 21:51:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kr7ruqmq3z3omszqxp326kl52j3sn64tqat72gnwlw26nv2oepgq._file
Verdict:
malicious
Label(s):
snakekeylogger
Create hunting rule
Similar samples:
6a3eefff7806a0b03f089f6b53f17a1db9b6de86cb5c28c798a1b5244fbe7aa8
MassLogger
6d6bc50f49d767016b18192124d9b60d8debda1238077a582c92cb918bf7630c
MassLogger
6eeb98a459b751958852c0072505e5d187b5473759dca00ef259065c914332a3
MassLogger
7dca5662fe7621ffd890ac202dd50e9d22b8f2ca186490ad62d8813cc0727cdb
MassLogger
80e12c2425ec7b8aa8913df82bd47c0c1a62f6539df22b6bf1ddab8b1694e3e8
MassLogger
8e1dcf3fda2c83bbf8c6422a8e9b67ec30f80f7c09898a85997b65ef866bdd20
MassLogger
error
MassLogger
+ 1'046 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/241219-lerkxayqek/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/f606a102-599c-480f-90c8-7a9cdd10f657
Unpacked files
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/0cff9a7b-ab1b-4d91-b904-e187ca124f67/
SH256 hash:
18c327aa98164f985f8a2e7a76de50477702b6be58b3e47687a5a11ee54260b4
MD5 hash:
19896bc18e2e1da458325ae41e57a7a9
SHA1 hash:
663833a62fd934abd36458cfda33a81637aed677
Link:
https://www.unpac.me/results/0cff9a7b-ab1b-4d91-b904-e187ca124f67/
SH256 hash:
45642ea9061718d937c727d07c3549d11cdc7dc439f6e28289d7d03955398b99
MD5 hash:
653af763664d41a75d7c804d1888f99e
SHA1 hash:
32750e089ca9e3498f04b031f692aa8d52eca7bc
Detections:
win_masslogger_w0
Create hunting rule
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/0cff9a7b-ab1b-4d91-b904-e187ca124f67/
Parent samples :
547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd
776e675ee48e029e417d5ed22ef53ccb5225660871d2152c4f4dc786eff91e62
778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b
91a04734fb1bfa93391d961ff94dfdfffc3021d6cf56cb31f9d696aa3251c6e2
0a1eadcceee3f37f895ee23bb8458140090cf58b411e57ec262dc28e76076de5
fad0d7b591575802da0e35b68ece5c3e47aff15c4e4d21f7c1014cbd58ee4b70
aba0672f82dcf1487d5b7b5647291ee0974e962018425dbc48ee10438fd6cf07
3cae6386cad4c42b5769266a2672742064999f61ce2ecc4704967a6e9c15658b
2d2770b3aaa2c319bc03e599a8212ef031369914cdf5f7b32422f6e177aff916
42b6e2a1e7faad8e59e5ef56e2806bb6efbed847058dafdf01416bea4aaa9c04
SH256 hash:
547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd
MD5 hash:
43d515ce2b62bad63485ed46844f643a
SHA1 hash:
54d484d170f54f420d82a475b9e6735cdffa5f85
Link:
https://www.unpac.me/results/0cff9a7b-ab1b-4d91-b904-e187ca124f67/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments