MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9510229f4802ae23ce7e8606ec144245afacc864a8391e3c640e1da2ebd524a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9510229f4802ae23ce7e8606ec144245afacc864a8391e3c640e1da2ebd524a
SHA3-384 hash: 17979e98825199468e6f275649e9b9877ad8cec5d0a9bb01359bcf4cfb908ea8d76b2fe4965bba0f7249e2259180ca6c
SHA1 hash: fcfa4abf5c184b4fd3df38d2980544c33dbcbd1d
MD5 hash: 00f8c8c1f90e631ebfbfcee425ef7bf7
humanhash: kansas-nineteen-fruit-early
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:668'160 bytes
First seen:2024-12-12 20:34:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qjlIpHtMPku+l0CPPe4U/4WIlYO3z33t9BvuIa0oGx/Tc7uEt9dP:qjlIhSPd+p0ylDz33t/e0xZQKi9dP
Threatray 2'076 similar samples on MalwareBazaar
TLSH T16AE4BFC03B2A7701DEACB934857AEDBC62541E74B004B8F36EED2B57B6991126E1CF50
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon f0cc862b23b2ccf0 (8 x Formbook, 2 x DarkCloud, 1 x VIPKeylogger)
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
449
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankasi Swift Mesaji.exe
Verdict:
Malicious activity
Analysis date:
2024-12-12 20:44:23 UTC
Tags:
evasion snake keylogger stealer telegram ims-api generic
Link:
https://app.any.run/tasks/8837ba43-ef37-4b93-9e57-4e9863f9be2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.37.616.24261.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675b4ad489dbe216234c4b5f
Tags:
keylog snake virus word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Setting a global event handler for the keyboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/675b48f7d0bf6a811f2d54e5/reports/f23bace9-db3c-4e3e-8621-96e86e6b4bab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a9510229f4802ae23ce7e8606ec144245afacc864a8391e3c640e1da2ebd524a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1b3a5b30-e9bd-47ab-a389-14695d36ccdc
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1574076
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a9510229f4802ae23ce7e8606ec144245afacc864a8391e3c640e1da2ebd524a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9510229f4802ae23ce7e8606ec144245afacc864a8391e3c640e1da2ebd524a/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-12-12 17:11:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfiqekpuqavoephh5bqg5qkeernpvtegjkbzdy6gidq5ulv5kjfa._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
snakekeylogger
Create hunting rule
Similar samples:
3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
MassLogger
4aa26829657bbdb5983129321451365832a69fde42f22687b9a7c598f2e04301
MassLogger
75691dfc15e24ea4920f9309bc68aedf808fb60379c0410d898cafaab4f8328b
MassLogger
c2b5b464df452292c93aef46b5ea83f0f837e2e15021e7cb5ad6aed1709a6188
MassLogger
db8277552d180fadd48f3c2953422ffa24b4cc4569e1931f968d6ee7ec22cf12
MassLogger
error
MassLogger
+ 2'066 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/241212-zc1bxswqhy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
404Keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/966a7c0b-1f11-4797-9a4b-8d48efe9018b
Unpacked files
SH256 hash:
366cfb2015078d80637bad5e41ba879903fafc17fe6d24d74210fbbfeaa07bd6
MD5 hash:
6c6509adcd386e5aa612f7a9c3d8a04b
SHA1 hash:
d36a9e2f20a88d035da9f976ba551358cbb3f913
Link:
https://www.unpac.me/results/3f950495-2253-4a33-8cc0-a6a4acf1b0f1/
SH256 hash:
f9fd509b87358f6658444b82ff1360d21abf6b750671ef740b13c0fbb39d56a9
MD5 hash:
56888e367e73d3703ad7efb633d0364f
SHA1 hash:
cc253ecfe9a24bac5867aa3309658d9a5126546f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3f950495-2253-4a33-8cc0-a6a4acf1b0f1/
SH256 hash:
8a74f7533565dfc4f5621c202f57a77dfd09b0f5e70b3a676d3d41c935dc9a3a
MD5 hash:
cfed5ac34c6797616027ee951ca476ea
SHA1 hash:
b0dd5f895f0d209caff304506e260ef08706294c
Detections:
win_masslogger_w0
Create hunting rule
win_404keylogger_g1
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Link:
https://www.unpac.me/results/3f950495-2253-4a33-8cc0-a6a4acf1b0f1/
Parent samples :
8f382b44be98d01413be1f9dc3221e6565e35d73fe41a94f9727b9ce4c71d6c9
a9510229f4802ae23ce7e8606ec144245afacc864a8391e3c640e1da2ebd524a
SH256 hash:
a9510229f4802ae23ce7e8606ec144245afacc864a8391e3c640e1da2ebd524a
MD5 hash:
00f8c8c1f90e631ebfbfcee425ef7bf7
SHA1 hash:
fcfa4abf5c184b4fd3df38d2980544c33dbcbd1d
Link:
https://www.unpac.me/results/3f950495-2253-4a33-8cc0-a6a4acf1b0f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9510229f4802ae23ce7e8606ec144245afacc864a8391e3c640e1da2ebd524a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments