MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 15

Intelligence 15 IOCs YARA 18 File information Comments

SHA256 hash:	b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85
SHA3-384 hash:	2af7264888e9206a3a8c973d7b6898e4ca10ca312c941e4f3598ab40941d20b94fbe29386768e71e421cdfcd041cfb05
SHA1 hash:	f10c41ce064b119d599ab7cfb306eff801adaa33
MD5 hash:	9182b0dd46fcfb344d576fbd13b81538
humanhash:	april-echo-tennessee-queen
File name:	SIP_20252701095738583757327401213.bat
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	538'120 bytes
First seen:	2025-03-11 07:50:30 UTC
Last seen:	2025-03-11 09:06:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:6buc154ghhTGUQisCVyDjfwj5sukQHSNIqiVYLwYFT0HaXQee3SkR:6buaOuyPwj5vkQHZqiOLDvO
TLSH	T1BBB4F195E3B8EF91D5B05BB00D71E23207B96E2EE430E2465DD8ACDB34A1764302976F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	72ceaeaeb2968ea8 (5 x RemcosRAT, 4 x MassLogger, 3 x PureLogsStealer)
Reporter	lowmal3
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

391

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SIP_20252701095738583757327401213.bat

Verdict:

Malicious activity

Analysis date:

2025-03-11 08:42:25 UTC

Tags:

snake keylogger evasion stealer

Link:

https://app.any.run/tasks/7035a877-75ff-41e0-8396-3867a47573dd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67cff6ce1f777fe30608dcc9

Tags:

injection obfusc shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature masquerade obfuscated packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/67cfeb7bb32a56d0c2cf60a4/reports/dc177826-cab1-45c3-ade4-17bb757141fc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4c4c4edb-f2ca-4dbc-bf45-cab1b80e25d4

Result

Threat name:

MSIL Logger, MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1634988

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected MSIL Logger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=w5h7yoz5iueus4gqohk26iwlpohl4wthxqrti7owd57mv6rlt6cq._file

Verdict:

malicious

Label(s):

unc_loader_037

novastealer

Similar samples:

error

MassLogger

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery execution spyware stealer

Link:

https://tria.ge/reports/250311-jp1v8awrt6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/a8781f8c-41ae-45d6-a034-52cb10ae6625

Unpacked files

SH256 hash:

b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85

MD5 hash:

9182b0dd46fcfb344d576fbd13b81538

SHA1 hash:

f10c41ce064b119d599ab7cfb306eff801adaa33

Link:

https://www.unpac.me/results/a04704ce-abca-4db4-9c29-627e4b18134f/

SH256 hash:

de8c9e136cdee47f85a41376993c3384591a5444fe86b558d938f5126cd07c7e

MD5 hash:

b94f77c5ccefb69ea3f0e8473c253ee4

SHA1 hash:

1cec543b1679dfa17f70553dcc17d84b881b31ea

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/a04704ce-abca-4db4-9c29-627e4b18134f/

Parent samples :

b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85
6654e909452d713f3f51aa800e0633bbc63e859bb3f63f5c833273e516f1c3d3
cf6365bfb6ff4604e981baa9fab6a5f57c141e58a50401d8c273ab02844b7dbd
6436df943cf575aaa1f311c20b10650f6ebba35add1a45c1b736fe713949ac21
ea1a35ea870465623c9478c6a1afb90cdca0579189a45eda755afbe2cd9d022f
41415c1dab37487faf427095855fb66cafa150ae15b9c515234e1e0b5f733aa8
06c800d5feba73344681fe9f7fa2cf6606d18fc37cc0a84cbcce2e06fa6dd9f9
b6ae18a5eade4cdd5181289b7786f7c579f10161aba8753ac3e0042d1afff2d8
1587d0df87cff791bee9142151cd753acdc57571af58b7ce16a616afb92bac94

SH256 hash:

f6bcdbd13b5b747af4e9a0fd4e7667f0de56aa9d12ee1d76d28eb047ef4bc147

MD5 hash:

e0d6463999975ac20ec1ce197ca67888

SHA1 hash:

2e0a5494001a08f6958fb08fc66a6a26bc13bd3c

Detections:

win_404keylogger_g1

win_masslogger_w0

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/a04704ce-abca-4db4-9c29-627e4b18134f/

Parent samples :

4bd5d8dbd871399e808370b9ec7adadc46a28ee4af8a48478b69c391f3236637
b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85
0c41a305e80960e4c7c2c890fd707429091d3bb87d5726ed7c13373d626e85cd

SH256 hash:

bf216f625374b12a63f5c00f308afc5a4d3b54650cb2a477de8f9a6c634e3062

MD5 hash:

58a02d91b7409708605d4de2a9bf1522

SHA1 hash:

e80359c542a8ca972d6775d93ffbf5a5366f02db

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a04704ce-abca-4db4-9c29-627e4b18134f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe b74ffc3b3d45094970d071d5af22cb7b8ebe5a67bc23347dd61f7ecafa2b9f85

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample