MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9165b9f24866c71b77654ac1c7667d93c30bbc29905e9469eb7e48f08104720c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	9165b9f24866c71b77654ac1c7667d93c30bbc29905e9469eb7e48f08104720c
SHA3-384 hash:	8840ee68ff3d92e63a91bcd80c9eef6c81f328e59b4948f786226bbbcaccab1190fd7e4a6bcf676bfae23bbed611ff39
SHA1 hash:	bf8300ae12f120d1c74b57c15bf1b0131a727f24
MD5 hash:	c5abec8c7c276d286238343595323fde
humanhash:	fourteen-summer-jupiter-summer
File name:	HB.dll
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	130'560 bytes
First seen:	2021-07-07 13:27:58 UTC
Last seen:	2021-07-07 14:47:08 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	3072:88W3ZVQj1bSToqWUBw1APr8gw0JTSURY:LW3ZVQpLqTAcr
Threatray	1'117 similar samples on MalwareBazaar
TLSH	3DD3E85A36C58B01C9585DB9C1EB5A3417E3FAC723B7D3893E4556CA0E013E9DC8ABC8
Reporter	James_inthe_box
Tags:	dll MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/170208/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36888082.29465.10836.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3129b33c-f8a8-445f-b310-65deb32102b3

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/801364

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9165b9f24866c71b77654ac1c7667d93c30bbc29905e9469eb7e48f08104720c/

Threat name:

Win32.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2021-05-03 21:27:23 UTC

File Type:

PE (.Net Dll)

AV detection:

22 of 46 (47.83%)

Threat level:

5/5

Verdict:

malicious

Label(s):

masslogger

MassLogger

150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302

MassLogger

586d1a857c5a8c41192992c4eb6cf61810e5d7289e761369ff2ac25f173d052d

MassLogger

596a1c5715dc377f51c2f905f8d80302f1c6e3ea9352da6f1760061b09361d2b

MassLogger

6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c

MassLogger

8506352e60dea0ee05bff79a9408f910850735939399bdf040c40ffdead19d61

MassLogger

972d8fcd3083eb6c81e2dc704d8e0ec1b097e43b7ef5576cf8cccc4e8fc85925

MassLogger

ac2af77c54d07502b2876ea53be6934c029e5666a26e73bf259da1795a6fd8b9

MassLogger

bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7

MassLogger

bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf

MassLogger

+ 1'107 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210707-cjwpw74t3x/

Behaviour

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

9165b9f24866c71b77654ac1c7667d93c30bbc29905e9469eb7e48f08104720c

MD5 hash:

c5abec8c7c276d286238343595323fde

SHA1 hash:

bf8300ae12f120d1c74b57c15bf1b0131a727f24

Link:

https://www.unpac.me/results/94cc9aa1-adc2-4506-9b13-786bde099fa9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9165b9f24866c71b77654ac1c7667d93c30bbc29905e9469eb7e48f08104720c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/170208/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample