MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 16

Intelligence 16 IOCs YARA 21 File information Comments

SHA256 hash:	8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f
SHA3-384 hash:	ff958806a9203d5dbf2a893273c21b4a670b3379db32d4cb8003ed229774f31d19ce37c58914af019530bcdb5f4dc643
SHA1 hash:	9af982394d1f6a114071a76cba3bb27fe7d310b6
MD5 hash:	6279973ea55b8bfa39e542a508de961f
humanhash:	robin-five-oxygen-salami
File name:	SOA NOV. Gateway Freight_MEDWA0577842.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'004'032 bytes
First seen:	2025-01-09 18:12:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:gAHnh+eWsN3skA4RV1Hom2KXMmHaZ8aAa9j5:Xh+ZkldoPK8YaZ3Bn
Threatray	1'033 similar samples on MalwareBazaar
TLSH	T1B5259C0273D1C036FFABA2739B6AF24556BC79254133852F13981DB9BD701B2227E663
TrID	63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 11.6% (.EXE) Win64 Executable (generic) (10522/11/4) 7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	lowmal3
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

435

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SOA NOV. Gateway Freight_MEDWA0577842.exe

Verdict:

Malicious activity

Analysis date:

2025-01-09 18:23:29 UTC

Tags:

evasion snake keylogger stealer

Link:

https://app.any.run/tasks/efe60e8c-1ce9-4e03-960d-d8b71c198eca

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.2966.22321.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=678013b0ffdcee13ec88fb38

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script evasive fingerprint fingerprint keylogger microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/678011b62354b43c45e11276/reports/a5cf8a30-aa1e-4085-aaa1-faf1460eb9d4/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/96854722-c7fa-4d71-b11a-e97d3127a83c

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1586934

Signature

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected MassLogger RAT

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2024-12-24 13:26:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rrpatkllkqqnnp4m56xvizomzfggtymetn5knlizju3dhvlaoqxq._file

Verdict:

malicious

Label(s):

unknown_loader_036

snakekeylogger

MassLogger

77f2a3737cab01bc454786bc7c35d73fc547378e554154863b906ca168793c0e

MassLogger

80b3c8d9dcccf09f2cd697875d417ecfd90dc7ce3132ef10bc5d6f48510d19da

MassLogger

a9b4db85972f79d070675d9e058631e48b252361e60cd129ba00b94e2f8d2327

MassLogger

b74937d0f19896f2d3256daf121395e8fcea20c8a509fac8fd5ebb95306fd00b

MassLogger

error

MassLogger

+ 1'023 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

collection discovery

Link:

https://tria.ge/reports/250109-wtql9syngk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Verdict:

Suspicious

Tags:

trojan 404keylogger

YARA:

SUSP_Imphash_Mar23_3

Link:

https://app.threat.zone/submission/3e0a1f9e-26cd-40c9-b20f-ae0aff3857ee

Unpacked files

SH256 hash:

48be0bea6d6beb657a4218591530b7e563d211645f8bc671282be03837365eb1

MD5 hash:

3dd886e6d02b9610fdfb1c7361b71c1c

SHA1 hash:

ab4256e042eca5a670e4f1d2b6d3e8d78466bffd

Detections:

win_masslogger_w0

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/b6cc12f8-cdfd-4110-9e8e-318bcb309176/

Parent samples :

f19fdc3a63aabdab91c94a0626ee6b28c62b98ffb96a454778cddb64edccf781
e0663b19ffa16445efed5a1c70bd92ab61a65faef5535fe7f43c81f3b86ea2c2
8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f
9604ee9c0cf521a022d9726b2e1dd82e6b3813d2ade567430b39a2fd9545063b
12ba2968289b6481ff52ba0d28aedfabb961145072da218dd13c6b9353d1eb04
8d3b00bb743c8d64e425c6014136080805acaa3cac12bf62151bb1e19908a89f
eda2bf8423a8046d884b20532a74bed0ce7219a2ee5f9fe829a72624d081e3df
65b878e0d18d156a3731f52f69e69088cdefa85ee630de7a75f1c062068c260b
4b7b96a969603084656add5a232616166928a00d88223f5299dec55303e1b413
60c38c0cc5461a5698f05dad6f5715f62e2f8168caa8a81131686c888681fc03
bf577ecd72cba029e0f09ba13fd808bbf730efae25ea4e35a4825ec9a57e0f9c
7984c497ff344dd8ad4baac3992be7d6a1c5ff907effe1aa4595330dc19d0102
270d25fa4c48a659c108da5452b8b90ea07f0473ee4dcaeb66889eb0e2443c99
07af1dae3080a3fe9024cc5398a30b3a2e0d07dab4e294ff3c0b0fb4c931addf

SH256 hash:

8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f

MD5 hash:

6279973ea55b8bfa39e542a508de961f

SHA1 hash:

9af982394d1f6a114071a76cba3bb27fe7d310b6

Link:

https://www.unpac.me/results/b6cc12f8-cdfd-4110-9e8e-318bcb309176/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_david_CSC846 Create hunting rule
Author:	David
Description:	CSC-846 Golang

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe 8c5e09a96b5420d6bf8cefaf5465ccc94c69e1849b7aa6ad194d3633d560742f

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample