MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be5861285d12d08aaa0999c23eb7292484598ea476eaba910f756a9e31898bcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be5861285d12d08aaa0999c23eb7292484598ea476eaba910f756a9e31898bcd
SHA3-384 hash: abaded3ee2ca109e34b93a532ac49776e78d2bdba0662b5a2eb503cb274556c461b95856e02c9f1bf3de3ccaafea48bb
SHA1 hash: 4cbf64c9f424064d87c0a11c538ce66e3d002e86
MD5 hash: deef2dd4f0f80c33dd63e60f3982f961
humanhash: robert-london-equal-kentucky
File name:DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:805'376 bytes
First seen:2025-04-30 08:15:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:DUfTsSJOkJ3+Pj93ohMdmr3CVcNU5C2yq:8Tsid3Kpoh0rQx
Threatray 798 similar samples on MalwareBazaar
TLSH T1A005F0583B5AC907C5912B780AB2F63853386E99A811D3176FD47EEFB9BAF451D00382
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 79ccb8849cdc7082 (1 x AgentTesla, 1 x MassLogger)
Reporter abuse_ch
Tags:DHL exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe
Verdict:
Malicious activity
Analysis date:
2025-04-30 09:29:48 UTC
Tags:
evasion snake keylogger stealer ims-api generic
Link:
https://app.any.run/tasks/5f7c4452-c7af-4cc1-96ef-4972f9d8a215

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5161/
Detection(s):
Win.Packed.Formbook-10021419-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6811e17cc8b2e86d0ac50cf9
Tags:
masslogger micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6811dc4c46fe05453caac267/reports/b6f9306c-2faa-4be6-aca1-03eff28ea1fa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/be5861285d12d08aaa0999c23eb7292484598ea476eaba910f756a9e31898bcd
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a697b090-d723-48d6-aeb8-2dcde3e7f634
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677962
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677962 Sample: DHL - FINAL NOTICE - OVERDU... Startdate: 30/04/2025 Architecture: WINDOWS Score: 100 49 reallyfreegeoip.org 2->49 51 checkip.dyndns.org 2->51 53 checkip.dyndns.com 2->53 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Sigma detected: Scheduled temp file as task from temp location 2->71 75 13 other signatures 2->75 8 DHL - FINAL NOTICE - OVERDUE ACCOUNT - 1301609845.exe 7 2->8         started        12 BtBcVkgHHblNJy.exe 5 2->12         started        14 svchost.exe 2->14         started        signatures3 73 Tries to detect the country of the analysis system (by using the IP) 49->73 process4 dnsIp5 41 C:\Users\user\AppData\...\BtBcVkgHHblNJy.exe, PE32 8->41 dropped 43 C:\...\BtBcVkgHHblNJy.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmp7A99.tmp, XML 8->45 dropped 47 DHL - FINAL NOTICE... 1301609845.exe.log, ASCII 8->47 dropped 77 Writes to foreign memory regions 8->77 79 Allocates memory in foreign processes 8->79 81 Adds a directory exclusion to Windows Defender 8->81 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 RegSvcs.exe 15 2 8->22         started        25 schtasks.exe 1 8->25         started        83 Multi AV Scanner detection for dropped file 12->83 85 Injects a PE file into a foreign processes 12->85 27 RegSvcs.exe 12->27         started        29 schtasks.exe 12->29         started        59 127.0.0.1 unknown unknown 14->59 file6 signatures7 process8 dnsIp9 61 Loading BitLocker PowerShell Module 17->61 31 conhost.exe 17->31         started        33 WmiPrvSE.exe 17->33         started        35 conhost.exe 20->35         started        55 checkip.dyndns.com 193.122.6.168, 49683, 49686, 80 ORACLE-BMC-31898US United States 22->55 57 reallyfreegeoip.org 104.21.32.1, 443, 49684, 49685 CLOUDFLARENETUS United States 22->57 37 conhost.exe 25->37         started        63 Tries to steal Mail credentials (via file / registry access) 27->63 65 Tries to harvest and steal browser information (history, passwords, etc) 27->65 39 conhost.exe 29->39         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/be5861285d12d08aaa0999c23eb7292484598ea476eaba910f756a9e31898bcd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be5861285d12d08aaa0999c23eb7292484598ea476eaba910f756a9e31898bcd/
Threat name:
Win32.Trojan.Alevaul
Create hunting rule
Status:
Malicious
First seen:
2025-04-30 04:26:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzmgckc5cliivkqjthbd5nzjescftdveo3vlveipovvj4mmjrpgq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
novastealer
Create hunting rule
Similar samples:
2f50fe30204bcb809128d0e11eee90857b7a5eeed6e9ad74aaacb1589bb3d45f
MassLogger
3b901702a8dd7143f7c4df9fe2204d48a1e6b795da42d4a2db18f173d7ef90b4
MassLogger
4adebc457140bce59984b89557668f9017efb6bc379920625c3b09b2dd88ab9a
MassLogger
d16be68a77facd56c4553aff3be893308c986f726619cd0785b5cf8cd5993f88
MassLogger
+ 788 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution spyware stealer
Link:
https://tria.ge/reports/250430-j57zgaxwfv/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7341689230:AAHymAZAjTKDwQdX3qK2HITohVFwhbvLPIc/sendMessage?chat_id=8074674260
Verdict:
Malicious
Tags:
Win.Packed.Formbook-10021419-0 404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/121a1300-404b-4ea0-a949-b200c71848a7
Unpacked files
SH256 hash:
be5861285d12d08aaa0999c23eb7292484598ea476eaba910f756a9e31898bcd
MD5 hash:
deef2dd4f0f80c33dd63e60f3982f961
SHA1 hash:
4cbf64c9f424064d87c0a11c538ce66e3d002e86
Link:
https://www.unpac.me/results/0572e559-d7d2-4304-b682-c023c3ee3ea7/
SH256 hash:
3f358937a974384f66ac6a4643243baf6690d5e9292e5bcc23e4b27aa74c722e
MD5 hash:
85ab96fb1f88a7c361d338143a210857
SHA1 hash:
3de54b83596b45581c3f3b5dd0e95b16ad451dcb
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/0572e559-d7d2-4304-b682-c023c3ee3ea7/
Parent samples :
f7d7afc2edcebc76bd79133bf4d72f6267df2557915d4baf9e8ef63f380f1666
8291fd2e2188911c99865faac1cf303e8587f69239e7dcbb5b9444bbe21c9cde
7080b6bd8792eaf9753134b20ce4ef1e7bb089bb62c109803f2c12c674194675
be5861285d12d08aaa0999c23eb7292484598ea476eaba910f756a9e31898bcd
c4d09e3feb7bc016940c0ee7aad4e23daba2a0fb4f6e00f193cfd88d52f43b93
0e3dce77ae4accfb1541548bb9c0ca6e9567406d5eb995483b747ede7f564f18
229e16ab2f80c80647e8da6f96d3c735c89574183c78aa1a4c8efdee43ab4ed5
bb7306eaef188dabe0ad73b9346fe2704a50a0e5e5f9557f365daa6a97a09182
02fe6d2d4a41946e2ecb73f29778cc3d94c30e53f824121af6732c08bb972419
80597422cfed734ee2786723bf0448604c6f04a7b7e3589b7560b44af887f999
b42a5dfc1af1fca35389fe545756943f0f1de63319a85dc506d99b09ea361154
d95ff41bfbaa705e05507570aad939636676d3a691814214998c7b8607f93cd1
74142a16663b8e31737676dcfe1d4216b74e4cd0d176215b1067fb5694481c3f
3f358937a974384f66ac6a4643243baf6690d5e9292e5bcc23e4b27aa74c722e
SH256 hash:
68eae871a0aaa9510bd28d5f7afd85e8aeb8099c82722d67d4ec380c33221314
MD5 hash:
9ffe2839da7f4db0fece4074218a7682
SHA1 hash:
b1a44370b2277024010b711e34a9793ded70ca78
Link:
https://www.unpac.me/results/0572e559-d7d2-4304-b682-c023c3ee3ea7/
SH256 hash:
47447ad256561786aa53a41a99dc0c77acbedb4bdc0b6203c0efd426007e49bf
MD5 hash:
ada174dff4a28910dec5cb8be01a576b
SHA1 hash:
ef16b30a4b354834d4af21a2d22f0e386e6c49af
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0572e559-d7d2-4304-b682-c023c3ee3ea7/
Malware family:
PrivateLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be5861285d12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be5861285d12d08aaa0999c23eb7292484598ea476eaba910f756a9e31898bcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5161/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments