MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 16

Intelligence 16 IOCs YARA 14 File information Comments

SHA256 hash:	a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463
SHA3-384 hash:	d66bf3df482b488927de3e2972b4e91834d830a1abae3768bfe0f23c49ee19ec3bbebdbcf5d3a6c80b800633a925bc4d
SHA1 hash:	78e89235b455d66c3beee851e9530452b60e9558
MD5 hash:	e1ebb944dc096898221edb776322b5b5
humanhash:	may-zebra-oklahoma-quiet
File name:	200009876543456789-98765432340088.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	770'548 bytes
First seen:	2022-05-05 10:15:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	12288:VNDW0tRezfNx/GVJNR8srKef982/2SSH/bkHu1yTJ5HHgD:VNRtGfNxm6s3VHSfiu1yTHHg
Threatray	3'236 similar samples on MalwareBazaar
TLSH	T1D9F4F1D2F11042D9EC6A1732286B1CA219932DBEE5F5D11D71FA36223BF72A3401E95F
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	068f0b2a2b363f06 (19 x SnakeKeylogger, 8 x AgentTesla, 8 x MassLogger)
Reporter	abuse_ch
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

200009876543456789-98765432340088.exe

Verdict:

Malicious activity

Analysis date:

2022-05-05 10:18:43 UTC

Tags:

snake

Link:

https://app.any.run/tasks/afd0988d-53ff-4766-8fc2-419c11f7dd2a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/268845/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Forced shutdown of a browser

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16415/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6273a405801e66012b2a1c0f/reports/5b7bdb39-6775-41f5-964b-135c325cb5ec/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6d93480-813b-4f8a-b654-17279d25593f

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/988407

Signature

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-05-05 10:16:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 42 (33.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=upqdwfevfcjmi6if7qr7uae4houazhvd4u2rn7ff332oohnvcrrq._file

Verdict:

malicious

MassLogger

9232ab4d2ed774c53e75cde52c4d062bea1a4033aa75ed01f906c0f763273801

MassLogger

af5296f251efe65427ddd30bef519fef4da8afb64e1621232a0adc86f4667e37

MassLogger

bb6c70d163e39d401e3f09be611d14b68d0a6f4d27c6628ee71e024ea3bd1e9d

MassLogger

c1e38b77d33987617b3ebd062909aeb830713508a6847eac373b004f83bde43f

MassLogger

f07c39a8c3ab2ff452ab3a80bf58aaf5200f178092cd143cede27ee3e1666020

MassLogger

+ 3'226 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger stealer

Link:

https://tria.ge/reports/220505-masg3sfga6/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

e22e7f09d743e524d134f4b4bbf5f1eb5308a3edb954a40b8aa5e68c7b8cffd4

MD5 hash:

07e1f7163b7d8b6d80d83d1c819436ef

SHA1 hash:

ed7724c52e18b9810939327b803ca03837915836

Link:

https://www.unpac.me/results/44355694-a82b-4aab-afc0-62166701d5c2/

Parent samples :

1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
c5dd4dced21baff9499dac6505a77527ac91dc0b0f187c20e9b960b46b3636b9
90dd02313886725b3ad19eaa0780f7189d49e8d1a334e51e5432027e2326c14f

SH256 hash:

9023ee773bb27fec3275efdf6c3eb9556e6f07675dcd16d435322b7534ebee6b

MD5 hash:

4d9dfd5343869784c0a3894259c2be1c

SHA1 hash:

2604659f8f961b80b88510b4b99a5add0689cc8c

Link:

https://www.unpac.me/results/44355694-a82b-4aab-afc0-62166701d5c2/

SH256 hash:

421a6fc4cfb364665b8226a2912a3404bf4914155b309677655f3f89d810a7ce

MD5 hash:

475bd71bb9bef852fdedffc9a49a8606

SHA1 hash:

6e1ed0d0c53414e7a26b63d643d8cd79a0068e57

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/44355694-a82b-4aab-afc0-62166701d5c2/

Parent samples :

a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463
3a0e589fa251577da7848b6fd2bafcc6d83bc81c6bee05322f41b78432dadad5
55a6538b91bcfc7f276bdc96e863fefd2f6bed25bdac956b67b8606bcfa843bd

SH256 hash:

1fb6b4f3bd2d6dfa0b642be380e0a710524114a0c411d184a02c270d76b14328

MD5 hash:

f1e90cb816f3e61e93d67e619bb68655

SHA1 hash:

5e71b2f3a92c0ed081bd5e38509bec09db045fb8

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/44355694-a82b-4aab-afc0-62166701d5c2/

SH256 hash:

5f982df0bc34599a5d66b083adec85b0373f75f89499131212cf493805c173d4

MD5 hash:

26b80eaeae0d7933d5525a8e8c4e04a5

SHA1 hash:

24adcf20b7bd5170ceb506fff87bd3fb58be6214

Link:

https://www.unpac.me/results/44355694-a82b-4aab-afc0-62166701d5c2/

SH256 hash:

a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463

MD5 hash:

e1ebb944dc096898221edb776322b5b5

SHA1 hash:

78e89235b455d66c3beee851e9530452b60e9558

Link:

https://www.unpac.me/results/44355694-a82b-4aab-afc0-62166701d5c2/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a3e03b149528/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe a3e03b14952892c47905fc23fa009c3ba80c9ea3e53516fca5def4e71db51463

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/268845/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample