MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6617277eed1fb2d8f4ce67480c088620c102f62aeb584bb0a877abd43a7ad28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6617277eed1fb2d8f4ce67480c088620c102f62aeb584bb0a877abd43a7ad28
SHA3-384 hash: 39d9e900a7ccde3a7da5de622e6a75a57fc73c29844c862032f16f3244898882875b836bd63b7168ea0a341dbe901fc1
SHA1 hash: 42a686877a6cafe68b69cbfda5c3d18771ad7728
MD5 hash: 45e0778eee62dcc18250718528a2ebe5
humanhash: lithium-xray-lake-comet
File name:Document-00123.lnk
Download: download sample
Signature MassLogger
Create hunting rule
File size:3'755 bytes
First seen:2025-03-30 19:14:34 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 96:8zSTIW6Id1ZCVg1OwJGQPD054+v+iR7u:8zSkW6Id1ZCWOwJxQ4oV7
Threatray 755 similar samples on MalwareBazaar
TLSH T1D4715B502DEF01DDF2635B7217E9F6FB456AF8A5681E71B511820A400B31EC08862FBA
Magika lnk
Reporter abuse_ch
Tags:lnk MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e99a48cfd0a37f830a5d22
Tags:
autorun shell virus sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/f6617277eed1fb2d8f4ce67480c088620c102f62aeb584bb0a877abd43a7ad28/results/dashboard
Payload URLs
URL
File name
http://87.121.79.107:5000/download/d2a3df2824cf44f699930beb05711a4a.txt
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun cmd cscript evasive evasive lolbin masquerade obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/67e99851631830704a8b7768/reports/daea73d2-c84c-4261-9262-55a79b09abf8/overview
Verdict:
Malicious
Labled as:
LNK/Autorun.Generic
Link:
https://www.hybrid-analysis.com/sample/f6617277eed1fb2d8f4ce67480c088620c102f62aeb584bb0a877abd43a7ad28
Result
Threat name:
Batch Injector, MSIL Logger, MassLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1652316
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) starts blacklisted processes
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652316 Sample: Document-00123.lnk Startdate: 30/03/2025 Architecture: WINDOWS Score: 100 95 reallyfreegeoip.org 2->95 97 checkip.dyndns.org 2->97 99 checkip.dyndns.com 2->99 115 Found malware configuration 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 Windows shortcut file (LNK) starts blacklisted processes 2->119 123 21 other signatures 2->123 11 cmd.exe 1 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        18 9 other processes 2->18 signatures3 121 Tries to detect the country of the analysis system (by using the IP) 95->121 process4 dnsIp5 139 Windows shortcut file (LNK) starts blacklisted processes 11->139 141 Suspicious powershell command line found 11->141 143 Wscript starts Powershell (via cmd or directly) 11->143 145 2 other signatures 11->145 21 powershell.exe 17 19 11->21         started        26 conhost.exe 1 11->26         started        28 cmd.exe 14->28         started        30 conhost.exe 14->30         started        32 cmd.exe 1 16->32         started        34 conhost.exe 16->34         started        101 127.0.0.1 unknown unknown 18->101 36 cmd.exe 18->36         started        38 cmd.exe 18->38         started        40 14 other processes 18->40 signatures6 process7 dnsIp8 103 87.121.79.107, 49681, 5000 NETERRA-ASBG Bulgaria 21->103 105 45.141.233.51, 49682, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 21->105 89 C:\Users\user\AppData\Local\...\tmpC0B3.vbs, ASCII 21->89 dropped 131 Found suspicious powershell code related to unpacking or dynamic code loading 21->131 42 cscript.exe 3 21->42         started        46 wscript.exe 1 21->46         started        133 Windows shortcut file (LNK) starts blacklisted processes 28->133 135 Suspicious powershell command line found 28->135 137 Wscript starts Powershell (via cmd or directly) 28->137 48 powershell.exe 28->48         started        50 conhost.exe 28->50         started        52 conhost.exe 32->52         started        54 powershell.exe 32->54         started        56 2 other processes 36->56 58 2 other processes 38->58 60 12 other processes 40->60 file9 signatures10 process11 file12 91 C:\Users\user\AppData\...\temp_script.bat, ASCII 42->91 dropped 147 Windows shortcut file (LNK) starts blacklisted processes 42->147 62 cmd.exe 1 42->62         started        65 conhost.exe 42->65         started        149 Wscript starts Powershell (via cmd or directly) 46->149 151 Windows Scripting host queries suspicious COM object (likely to drop second stage) 46->151 153 Suspicious execution chain found 46->153 67 cmd.exe 46->67         started        155 Tries to harvest and steal browser information (history, passwords, etc) 48->155 signatures13 process14 signatures15 157 Windows shortcut file (LNK) starts blacklisted processes 62->157 69 cmd.exe 2 62->69         started        72 conhost.exe 62->72         started        74 cmd.exe 67->74         started        76 conhost.exe 67->76         started        process16 signatures17 125 Windows shortcut file (LNK) starts blacklisted processes 69->125 127 Suspicious powershell command line found 69->127 129 Wscript starts Powershell (via cmd or directly) 69->129 78 powershell.exe 15 19 69->78         started        83 conhost.exe 69->83         started        85 conhost.exe 74->85         started        87 powershell.exe 74->87         started        process18 dnsIp19 107 checkip.dyndns.com 158.101.44.242, 49685, 49692, 49697 ORACLE-BMC-31898US United States 78->107 109 reallyfreegeoip.org 104.21.112.1, 443, 49687, 49696 CLOUDFLARENETUS United States 78->109 93 C:\Users\user\...\StartupScript_5bb2b659.cmd, ASCII 78->93 dropped 111 Installs new ROOT certificates 78->111 113 Found suspicious powershell code related to unpacking or dynamic code loading 78->113 file20 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6617277eed1fb2d8f4ce67480c088620c102f62aeb584bb0a877abd43a7ad28/
Threat name:
Win32.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2025-03-28 13:02:01 UTC
File Type:
Binary
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zqxe57o2h5s3d2m4z2ibqeimigbal3cv22yjoykq55l2q5hvuua._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
1336ab650908b4c79136b1cb0c2acdb5f84693c74f6a9767019a5d588bf04378
MassLogger
360ca290783e8135d794a7e5952a7b5a964cfad8a202438468aad9512d76afc9
MassLogger
4c753d4c900f614b1ae03309d3b319bb4081c9628dc3f61a9dee7e16e023e1ba
MassLogger
5524172a140702bfb03975d9a0d83b95e314fc48a9912292831d6c8af1fc3277
MassLogger
5981ad3b28c03107c09d9f076333ff11dcb9ac2625549ff70fe27d5741070170
MassLogger
b8ceae46f1e55b2cdcbb4a5681e4ec73dc2e3981b79cc7d4097a48e38a835467
MassLogger
d1bd52996d15f124682fc7c59f4a70d7b54f5a89919f8de36f09fe0efc51eb5c
MassLogger
error
MassLogger
fd3845afafae2b54ec9786c4f721a0e3fb5d0ad207b0eb055182d1f2173b8adb
MassLogger
+ 745 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/250330-xyjj7avvhz/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
http://87.121.79.107:5000/download/d2a3df2824cf44f699930beb05711a4a.txt
Malware family:
PrivateLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f6617277eed1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments