MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfd642ed5f14bce81563b3921c242393a9ac2a1865a8344af8b29b9faaa16a7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfd642ed5f14bce81563b3921c242393a9ac2a1865a8344af8b29b9faaa16a7f
SHA3-384 hash: 007c9e3976ee6118f82083da846c56e917216a6a27fa900c023eabd3c41268658f977f54e9b4c77951c045c451daa87e
SHA1 hash: 57d2dd2565c041d08bdcd852908e72fdaf1e2519
MD5 hash: c0c9edfbc5bfdf460fee48fbc1320835
humanhash: river-three-mars-friend
File name:Fizetési_másolat_UniCredit Bank_Hungary.bat
Download: download sample
Signature MassLogger
Create hunting rule
File size:396'390 bytes
First seen:2025-04-01 05:50:23 UTC
Last seen:2025-05-27 07:59:01 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 12288:tjBEc3VepVqEFV6dylARp8DGalqx9ydnGNn:tjM1FV0rpYdwxK4
Threatray 841 similar samples on MalwareBazaar
TLSH T18284C0711DC0ADDB4E2EEF2EC166264D2263D9BD3871328E26131ED8D76F042AD27586
Magika vba
Reporter smica83
Tags:bat HUN MassLogger UniCreditEurope

Intelligence

File Origin
# of uploads :
3
# of downloads :
91
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Copia de pago_Banco_BBVA.bat
Verdict:
Malicious activity
Analysis date:
2025-03-28 12:52:55 UTC
Tags:
snake keylogger evasion stealer ims-api generic
Link:
https://app.any.run/tasks/05973df7-6ec1-4e31-aad0-bce07cc93276

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Other.Malware-gen.16731.14888.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67eb81fc855e5ec5240b4148
Tags:
obfuscated shell virus
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1653409
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1653409 Sample: Fizet#U00e9si_m#U00e1solat_... Startdate: 01/04/2025 Architecture: WINDOWS Score: 100 35 reallyfreegeoip.org 2->35 37 checkip.dyndns.org 2->37 39 checkip.dyndns.com 2->39 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 59 12 other signatures 2->59 10 cmd.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 57 Tries to detect the country of the analysis system (by using the IP) 35->57 process4 dnsIp5 69 Suspicious powershell command line found 10->69 71 Suspicious command line found 10->71 73 PowerShell case anomaly found 10->73 16 cmd.exe 1 10->16         started        19 conhost.exe 10->19         started        45 127.0.0.1 unknown unknown 13->45 signatures6 process7 signatures8 47 Suspicious powershell command line found 16->47 49 PowerShell case anomaly found 16->49 21 powershell.exe 22 16->21         started        process9 file10 33 C:\Users\user\AppData\Roaming\xivDXrAf.dll, PE32+ 21->33 dropped 61 Uses ping.exe to check the status of other devices and networks 21->61 63 Writes to foreign memory regions 21->63 65 Creates a thread in another existing process (thread injection) 21->65 67 Powershell drops PE file 21->67 25 PING.EXE 15 3 21->25         started        29 conhost.exe 21->29         started        signatures11 process12 dnsIp13 41 checkip.dyndns.com 132.226.247.73, 49722, 80 UTMEMUS United States 25->41 43 reallyfreegeoip.org 104.21.112.1, 443, 49723 CLOUDFLARENETUS United States 25->43 75 Tries to harvest and steal browser information (history, passwords, etc) 25->75 31 conhost.exe 25->31         started        signatures14 process15
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/dfd642ed5f14bce81563b3921c242393a9ac2a1865a8344af8b29b9faaa16a7f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfd642ed5f14bce81563b3921c242393a9ac2a1865a8344af8b29b9faaa16a7f/
Threat name:
Win32.Exploit.Minerva
Create hunting rule
Status:
Malicious
First seen:
2025-03-27 21:40:10 UTC
File Type:
Text
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=37lef3k7cs6oqfldwojbyjbdsou2ykqymwudisxywknz7kvbnj7q._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
novastealer
Create hunting rule
Similar samples:
13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c
MassLogger
14f6cc465c16b2b06dca025ac97d6824d0793554b1599b68e401379b4f2cb12a
MassLogger
27be1fda8c87477ab97c0df0ff72311f87a80f404337f1bb269e37dbe266972d
MassLogger
6357866d9a4110843c44f4a4986d50a0af5380f4e185373d062f123d73fe63d9
MassLogger
8432a87c1daeb7a4a13a6bee0ab55d5c96919b2d29dfddc5682f9289023a5ed6
MassLogger
b41c2dc07ebec91f9606b75710eab439f1a4928874180aa36748527f96512c8d
MassLogger
ced40caee716f956a4db4d96f10daa8b80f6c30371f2490129b6cf212dcfd223
MassLogger
error
MassLogger
f99267a4d305fa5fbbcc6c474c8dc3f0c071e837829db5ec805a67161270d7f1
MassLogger
+ 831 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/250401-gj7epsvsax/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Loads dropped DLL
Malware family:
PrivateLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dfd642ed5f14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfd642ed5f14bce81563b3921c242393a9ac2a1865a8344af8b29b9faaa16a7f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

MassLogger

Batch (bat) bat dfd642ed5f14bce81563b3921c242393a9ac2a1865a8344af8b29b9faaa16a7f

(this sample)

Executable exe 42db132e0da7bd25d1518ea5275f2488fcd996325659a488d8c0c4eb7fec8ee1

  
Dropping
SHA256 42db132e0da7bd25d1518ea5275f2488fcd996325659a488d8c0c4eb7fec8ee1
  
Dropping
MD5 2582036f3946206280b2486b0f30e3a6

Comments