MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61d7847617ce3e59e301dd1779044feab0d1d3bfe9aa62870fb795435a47eed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61d7847617ce3e59e301dd1779044feab0d1d3bfe9aa62870fb795435a47eed2
SHA3-384 hash: fae8f2395fd14da481f6dc322c733fbca7d029a85e27f04b489cce3da3bf3b18429edcf1c847eed0fd53d4451d7347a6
SHA1 hash: 983211c810531559fb818377080f88e9ede2e869
MD5 hash: aba3c8d6249588d54aa9536a156f29b7
humanhash: wyoming-virginia-papa-freddie
File name:SWIFT-PAYMENT-VALUE-DATE-10-10-23-YAT171928-36Y1T2-716YAU-37102YJ-AP26.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'076'736 bytes
First seen:2023-10-11 19:20:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:IuTpjBb+HM+UV2lVEUxg2JLYgrQt69TUw8eBpS:IuTpjBaHM+UV2lVJkgkoTUzwS
Threatray 3'265 similar samples on MalwareBazaar
TLSH T1A3352355BA21DF51C822A53F6B9FFA199888B4398C14626ECDCCF31FA5640C05C87DBE
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 68d8d8c9d9e9c1d9 (8 x Formbook, 1 x NanoCore, 1 x MassLogger)
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT-PAYMENT-VALUE-DATE-10-10-23-YAT171928-36Y1T2-716YAU-37102YJ-AP26.exe
Verdict:
Malicious activity
Analysis date:
2023-10-11 19:22:22 UTC
Tags:
zgrat
Link:
https://app.any.run/tasks/9b365923-64e2-4933-bd19-c2a2d54882ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/453438/
Detection(s):
SecuriteInfo.com.FileRepMalware.17189.19470.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6526f5a48d16e62970c186ed/reports/279f09c2-4d35-4a60-9c0b-46536c0fbddc/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/61d7847617ce3e59e301dd1779044feab0d1d3bfe9aa62870fb795435a47eed2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9abcb5d-bfe0-4a95-af8e-badf3d59c453
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61d7847617ce3e59e301dd1779044feab0d1d3bfe9aa62870fb795435a47eed2/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2023-10-11 02:50:19 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
5
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhlyi5qxzy7ftyyb3ulxsbcp5kyndu575gvgfbypw6kugwsh53ja._file
Verdict:
malicious
Similar samples:
14a10ef4f604c227bfa74bae7dd4b0ea95e27f0d1711080cd31efe6ab1141e95
MassLogger
257891b32e5b952cf172a11affd291e4964ec9c1b24e51e174a4146503f8164a
MassLogger
5c7e18764c02e02117f91213a2f66e63265d3ed30c0ea8ae1c9be8ff5ee4ba43
MassLogger
62c1d71fff5293071772735f75960544716be3c3ee5996c6889f3ef3b4e7bcec
MassLogger
75d7d46ed7d193c249f6f1d7e309b6986f1303e772599d90d65467b4a7d5f80a
MassLogger
8e97f86958e8abcbac1caa515bd07b0c20edc5c48b719e3d2a4f9ac14912165f
MassLogger
9554e7ef83f9c1aabed52be7a308d7e25c99e7d71e006146aee045d29784f92d
MassLogger
b7f3d85fc66f301be89b8df9ea44f53ddbd498e8806b576ccba3575c53a29304
MassLogger
e54a10d5f2679cf96e33d264734763b1864c859cd2fe666e9d803a081d521bcd
MassLogger
ff38415bfa7f2db5ba40f26e64ede0676971c441823d2ec2755d644d8905d809
MassLogger
+ 3'255 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/231011-x2pklsab98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
61d7847617ce3e59e301dd1779044feab0d1d3bfe9aa62870fb795435a47eed2
MD5 hash:
aba3c8d6249588d54aa9536a156f29b7
SHA1 hash:
983211c810531559fb818377080f88e9ede2e869
Link:
https://www.unpac.me/results/934b217e-8d88-47c3-9064-cf0562a25345/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61d7847617ce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61d7847617ce3e59e301dd1779044feab0d1d3bfe9aa62870fb795435a47eed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Author:qux
Description:Detects exe does not have import table
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 61d7847617ce3e59e301dd1779044feab0d1d3bfe9aa62870fb795435a47eed2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/453438/

Comments