MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
SHA3-384 hash: 74b89291366aa30f7bee4a8d872e07f9cf7515028e07252b229e0620c6b26c63c0cf321aadac74292bb175fe22da0e52
SHA1 hash: bd936a27e63e60361d1191d058d13418084c7d04
MD5 hash: d023bb01175d237f56d56467e5806525
humanhash: timing-ohio-freddie-william
File name:75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
Download: download sample
Signature MassLogger
Create hunting rule
File size:354'304 bytes
First seen:2024-11-25 12:38:00 UTC
Last seen:2024-12-02 13:10:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 6144:dDKW1Lgbdl0TBBvjc/7kNVMWCGtJ3kmGz3R9/GP54i7hPTCml3eJrG:Vh1Lk70TnvjcwNAGtJ8r/GBR74w66
Threatray 3 similar samples on MalwareBazaar
TLSH T1C874E02470D1C2B2C47B117084EACB769A397032577A92D7BBDD1B7AAF103E5A3361C9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
377
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
Verdict:
Malicious activity
Analysis date:
2024-11-25 12:58:12 UTC
Tags:
snake keylogger evasion crypto-regex
Link:
https://app.any.run/tasks/d2a86e62-296d-45ed-8a14-385f063c0819

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67446fb1b31374f098344518
Tags:
infosteal autorun redline
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Sending a custom TCP request
Reading critical registry keys
Creating a window
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed packed packer_detected redline
Link:
https://www.filescan.io/uploads/67446fbac4699945e5abd07c/reports/6382312c-0abf-400c-8a4a-f82fc7a6ffdd/overview
Verdict:
Malicious
Labled as:
Dopping.Generic
Link:
https://www.hybrid-analysis.com/sample/75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c9d6cf6-2855-43f0-9455-14e2809bcdaf
Result
Threat name:
MassLogger RAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1562296
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Drops large PE files
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562296 Sample: F7Xu8bRnXT.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 44 reallyfreegeoip.org 2->44 46 checkip.dyndns.org 2->46 48 checkip.dyndns.com 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 58 12 other signatures 2->58 9 F7Xu8bRnXT.exe 6 2->9         started        signatures3 56 Tries to detect the country of the analysis system (by using the IP) 44->56 process4 file5 32 C:\Users\user\AppData\Local\...\server01.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\...\Trading_AIBot.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\...\F7Xu8bRnXT.exe.log, ASCII 9->36 dropped 12 Trading_AIBot.exe 5 9->12         started        16 server01.exe 15 2 9->16         started        process6 dnsIp7 38 C:\Users\user\AppData\Roaming\...\apihost.exe, PE32 12->38 dropped 64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 74 3 other signatures 12->74 19 powershell.exe 23 12->19         started        22 apihost.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        40 checkip.dyndns.com 158.101.44.242, 49721, 80 ORACLE-BMC-31898US United States 16->40 42 reallyfreegeoip.org 172.67.177.134, 443, 49724 CLOUDFLARENETUS United States 16->42 70 Tries to steal Mail credentials (via file / registry access) 16->70 72 Tries to harvest and steal browser information (history, passwords, etc) 16->72 file8 signatures9 process10 signatures11 60 Loading BitLocker PowerShell Module 19->60 26 WmiPrvSE.exe 19->26         started        28 conhost.exe 19->28         started        62 Antivirus detection for dropped file 22->62 30 conhost.exe 24->30         started        process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b/
Threat name:
ByteCode-MSIL.Trojan.Dopping
Create hunting rule
Status:
Malicious
First seen:
2024-11-25 12:39:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovur37av4jhkjeqpsme3y2fo36ai7nqdphaecdmjrsx2vnhygkfq._file
Verdict:
malicious
Label(s):
unknown_loader_001
Create hunting rule
404keylogger
Create hunting rule
snakekeylogger
Create hunting rule
Similar samples:
4aa26829657bbdb5983129321451365832a69fde42f22687b9a7c598f2e04301
MassLogger
75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
MassLogger
error
MassLogger
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution spyware stealer
Link:
https://tria.ge/reports/241125-pt342atkdr/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
stealer redline trojan 404Keylogger
YARA:
MALWARE_Win_RedLine MAL_Malware_Imphash_Mar23_1
Link:
https://app.threat.zone/submission/1b74c2db-837e-4cf8-b138-6cf3275137fc
Unpacked files
SH256 hash:
7f73743991e06e23b0a1fec66a8fa5f194d49fbe15c58473d10798758c856d31
MD5 hash:
0cdbe0cd3cb5c2f0b2cb17e4417d43f5
SHA1 hash:
e3aa6201e5a42adfa1bfb4506d6852de22e07494
Detections:
win_masslogger_w0
Create hunting rule
win_404keylogger_g1
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Link:
https://www.unpac.me/results/93637be8-7d69-45ca-a220-7ab48a5aaa25/
Parent samples :
b336830d627101633db934f8d48606639c70d133a5985026bc250c035e887faf
9a1973e5fed817352699227ba40f3d5149221221882377c9a127bbf011f7f1cd
75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
SH256 hash:
2055f10fc1d90355981eb5a426574e32133a231c7bea26eb848267b9af33402c
MD5 hash:
3e27cba07485702ea6e2fd5d9bdb2c79
SHA1 hash:
8b14696fa6e5542d079d1e56ca9c2e1785ef2a64
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/93637be8-7d69-45ca-a220-7ab48a5aaa25/
SH256 hash:
d698f7db60394128a960a8008cdabc16c95256e96f6a8065bb20e1a03b7bdba1
MD5 hash:
5110abeb079f11c85d753fea5cbe42fc
SHA1 hash:
60f5ea364eb12035274163f854ffdea4506e7f64
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/93637be8-7d69-45ca-a220-7ab48a5aaa25/
SH256 hash:
f19763b48b2d2cc92e61127dd0b29760a1c630f03ad7f5055fd1ed9c7d439428
MD5 hash:
e91a1db64f5262a633465a0aaff7a0b0
SHA1 hash:
396e954077d21e94b7c20f7afa22a76c0ed522d0
Link:
https://www.unpac.me/results/93637be8-7d69-45ca-a220-7ab48a5aaa25/
SH256 hash:
75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
MD5 hash:
d023bb01175d237f56d56467e5806525
SHA1 hash:
bd936a27e63e60361d1191d058d13418084c7d04
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/93637be8-7d69-45ca-a220-7ab48a5aaa25/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/75691dfc15e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments