MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b
SHA3-384 hash:	bf2d9250a625c9d33c560c47881d184bae2ac1d766a058de15e5b14f9b35da61383bb6bdaace2754dcef138c5c0c959e
SHA1 hash:	cfd41e1636eccd3b47ee9cdcdc5351fe3c3cefa7
MD5 hash:	330e82d1533a039ed8c68e0c40bf7d61
humanhash:	ack-whiskey-four-zebra
File name:	RENH3RE2025QUOTE.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	666'112 bytes
First seen:	2025-01-14 10:52:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:qYRxA4Y5lyA/BxSPCdSm3uD97XzDNfUt1B2UvMBjDajuyUpoTLKFUN0uUC3d:lRQSfFq2wMxTyUpOLvH3d
TLSH	T113E4CE85E584C501DC691F741832EEB8126BBEA9BD74D20EDBDC3DFB7A732831421A46
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	0307612c88000000 (65 x AgentTesla, 47 x RemcosRAT, 9 x MassLogger)
Reporter	TeamDreier
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

448

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67864224aa9c8e7858deab74

Tags:

micro shell smtp

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/6786421ff1b96fac3180e3d1/reports/0a912677-6a75-4cee-a2b8-31cbdfc0d015/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6a74e352-a99f-437d-bf91-697d7d19eefb

Result

Threat name:

MassLogger RAT, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1590628

Signature

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Found malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b/

Threat name:

ByteCode-MSIL.Trojan.SnakeLogger

Status:

Malicious

First seen:

2025-01-14 08:04:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o6hzvi3xl4a6rprjcbjbmxqenjrujwjf6uau2lv35ploiykivynq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery execution spyware stealer

Link:

https://tria.ge/reports/250114-myyzrsyjcj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Verdict:

Suspicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/b11b3457-7826-4d81-9a48-79d0aad325b3

Unpacked files

SH256 hash:

c4046948c364f88eb5f030b27735a9f6cbbc6e7a8b999c94c767102c0bb4aa31

MD5 hash:

f84dde21ff0ee5588059e888f03189b9

SHA1 hash:

befcce6c4a1ae2917ed2ffe3835ccc017fff3756

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/8c71c038-9880-452d-bdf3-69cc9f8c6ccc/

SH256 hash:

45642ea9061718d937c727d07c3549d11cdc7dc439f6e28289d7d03955398b99

MD5 hash:

653af763664d41a75d7c804d1888f99e

SHA1 hash:

32750e089ca9e3498f04b031f692aa8d52eca7bc

Detections:

win_masslogger_w0

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/8c71c038-9880-452d-bdf3-69cc9f8c6ccc/

Parent samples :

547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd
776e675ee48e029e417d5ed22ef53ccb5225660871d2152c4f4dc786eff91e62
778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b
91a04734fb1bfa93391d961ff94dfdfffc3021d6cf56cb31f9d696aa3251c6e2
0a1eadcceee3f37f895ee23bb8458140090cf58b411e57ec262dc28e76076de5
fad0d7b591575802da0e35b68ece5c3e47aff15c4e4d21f7c1014cbd58ee4b70
aba0672f82dcf1487d5b7b5647291ee0974e962018425dbc48ee10438fd6cf07
3cae6386cad4c42b5769266a2672742064999f61ce2ecc4704967a6e9c15658b
2d2770b3aaa2c319bc03e599a8212ef031369914cdf5f7b32422f6e177aff916
42b6e2a1e7faad8e59e5ef56e2806bb6efbed847058dafdf01416bea4aaa9c04

SH256 hash:

3aa7ca05584211acc2467c39553e7a045c6b5ba59ff266127801be4cddbd0cbb

MD5 hash:

35e1b4bc5de79edb713c8692cb4efd38

SHA1 hash:

06e23eedcbfa52850fd10fb7764431a452b90a7e

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/8c71c038-9880-452d-bdf3-69cc9f8c6ccc/

Parent samples :

dda88b2f3e4fc0dd679df66662d77aaedaeed19d542fab5171f54e0b01869461
24e7335ab9d5e3232a8434d8e48a72e3b4a537f5496f3bfec0ef88a2359157c6
a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91
d1a82af2d052117e637c17671568650659a93541083f107e4d1b2d357935928d
778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b
4d7ae4a600ffeadb38636c294d14612029a0b76313fefb6f27b606b2018b3400
efd86329975988f4c9e3178d139e82558d9ab07bb53dea0c5b6d0b234bb5cd35
800f9ec3e0b17084a4479e88fcc9089418ebd621531d1aee2eefbed5622a69b4
4d49933551f01cc730f63fd290ecb61f4bfa880a0660f0ec7363e148ef85645a
53744fdba0544f915f43eddad494ea07a405776df30864415d6b1445db042481

SH256 hash:

778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b

MD5 hash:

330e82d1533a039ed8c68e0c40bf7d61

SHA1 hash:

cfd41e1636eccd3b47ee9cdcdc5351fe3c3cefa7

Link:

https://www.unpac.me/results/8c71c038-9880-452d-bdf3-69cc9f8c6ccc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe 778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample