MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf89ee5a964c6ba7ca2ac678c0727c0cde96b3a8a0268a103c1d529064dbc17e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	cf89ee5a964c6ba7ca2ac678c0727c0cde96b3a8a0268a103c1d529064dbc17e
SHA3-384 hash:	c3d26bcaabfa5e646b894ee3fd4e7923e8fa2961c2d9075903e4ba0487cfae73e38a62f608b113b770168822e47b306a
SHA1 hash:	dc160a063ea344d0a0b5f2892a8a2b8b28d0653a
MD5 hash:	80bb97e480856923312c4347ac0a3076
humanhash:	two-nineteen-freddie-twenty
File name:	24032025Hesap Hareketleri.scr
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	629'256 bytes
First seen:	2025-03-24 12:24:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:nVgzMjvOn6nzxnXLyb28KcktsASpP73NZnfwS1QOAOe/suf1EkzWkR:yIj2n6n9o2A+s/JNZnomApDdEkh
Threatray	3'387 similar samples on MalwareBazaar
TLSH	T131D4E148AB98D816C6A727744671F63413BFAED86931E30A4FDC6CDB7F2BB004904392
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	70cca2b2b2a2cc70 (7 x Formbook, 7 x SnakeKeylogger, 5 x MassLogger)
Reporter	abuse_ch
Tags:	exe geo MassLogger scr TUR

Intelligence

File Origin

# of uploads :

# of downloads :

412

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

24032025Hesap Hareketleri.scr

Verdict:

Malicious activity

Analysis date:

2025-03-25 06:54:48 UTC

Tags:

evasion snake keylogger stealer ims-api generic

Link:

https://app.any.run/tasks/a6c61500-8877-4620-95ba-322d55850e24

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e24bbebb84e066269ed8b1

Tags:

spawn shell virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expired-cert invalid-signature masquerade obfuscated packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/67e14f3e3e6805386cfe3f55/reports/02703d01-e6ac-46f0-8f29-d669e3bc9a66/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/cf89ee5a964c6ba7ca2ac678c0727c0cde96b3a8a0268a103c1d529064dbc17e

Result

Verdict:

MALICIOUS

Result

Threat name:

MSIL Logger, MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1647032

Behaviour

Behavior Graph:

n/a

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cf89ee5a964c6ba7ca2ac678c0727c0cde96b3a8a0268a103c1d529064dbc17e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf89ee5a964c6ba7ca2ac678c0727c0cde96b3a8a0268a103c1d529064dbc17e/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2025-03-24 10:33:52 UTC

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z6e64wuwjrv2psrkyz4ma4t4btpjnm5iuatiueb4dvjjazg3yf7a._file

Verdict:

malicious

Label(s):

unc_loader_037

novastealer

MassLogger

8c98088aa44045c4b7a4a7bebe5d98480fe5cad627b772554ebd0a324cafa37c

MassLogger

8e63fcd9e5fcdd993a7535a3990f28a4c95740d801dbfde8fb0d338bbae22d4c

MassLogger

91a04734fb1bfa93391d961ff94dfdfffc3021d6cf56cb31f9d696aa3251c6e2

MassLogger

error

MassLogger

+ 3'377 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery execution spyware stealer

Link:

https://tria.ge/reports/250324-pltkmatkt3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Verdict:

Malicious

Tags:

404keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/83313f8a-3e84-4cd7-be35-120247403595

Unpacked files

SH256 hash:

cf89ee5a964c6ba7ca2ac678c0727c0cde96b3a8a0268a103c1d529064dbc17e

MD5 hash:

80bb97e480856923312c4347ac0a3076

SHA1 hash:

dc160a063ea344d0a0b5f2892a8a2b8b28d0653a

Link:

https://www.unpac.me/results/058a079d-cb5e-4d81-a8b3-c27c7dba0e44/

SH256 hash:

cd95dfcecbb701a2c702f6dad88198a03188f3f48b83c5787550bc74bd441f1d

MD5 hash:

bb17a7bf16544f2f4f174e467d85ed7a

SHA1 hash:

160058635eac2df31861a8efc218e059b12521c4

Detections:

win_404keylogger_g1

win_masslogger_w0

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/058a079d-cb5e-4d81-a8b3-c27c7dba0e44/

Parent samples :

0795a88b1c043cd208174cbca41e10832cd7ded4f56469244f8e9750b1f10efe
cf89ee5a964c6ba7ca2ac678c0727c0cde96b3a8a0268a103c1d529064dbc17e
6f792d2bb029b59975143f8590c6df9b1bb3a7e26d53ec3346a2ab5382819d99

SH256 hash:

43f19f72b48a73107a5dd89054db29038826ebf0cb55d75734d19299ab0b5427

MD5 hash:

0523104f92baa83c1a647deab7c4a19a

SHA1 hash:

592b15d436aa13f5b31ddbc3f8eecdf3f4fb8af6

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/058a079d-cb5e-4d81-a8b3-c27c7dba0e44/

SH256 hash:

72bfd47266006b378f1b63658456e1fa450b4c8fa93a1e0c484f51261573257a

MD5 hash:

4966311889e08f67f7fa6bae9272372e

SHA1 hash:

6fbbd39bcdcf4891b07bab95d14e20f00ce710ce

Link:

https://www.unpac.me/results/058a079d-cb5e-4d81-a8b3-c27c7dba0e44/

Malware family:

PrivateLogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cf89ee5a964c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf89ee5a964c6ba7ca2ac678c0727c0cde96b3a8a0268a103c1d529064dbc17e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample