MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01163e556055d4918fe33453f3aff7ca3074da1e887492c418c1f5298c691c42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01163e556055d4918fe33453f3aff7ca3074da1e887492c418c1f5298c691c42
SHA3-384 hash: 17e65741a9ae28f128ec7fd54a4a09b685305b2fcd8ef28e65df162545d82955cb4fa491a4cf147963d712ad95fb90f6
SHA1 hash: 8511b23b2b4b9e16dfc9df8a7b974613ee6728be
MD5 hash: f29ce16e37d1010823cd498370eb9131
humanhash: aspen-jig-colorado-sad
File name:f29ce16e37d1010823cd498370eb9131.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'214'976 bytes
First seen:2020-08-06 08:28:46 UTC
Last seen:2020-08-06 13:37:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:JQ14M/V8gil1kTzC8ezys+ViJaDgZ3BPdpgqVhh8c9K:KCM/V8gdzC8fYugZ3Jfg6l9
Threatray 271 similar samples on MalwareBazaar
TLSH 0345F16C27E84A12F65A177DAC728612CF31F80F5C27A30F6A7138AE5977794AC41B13
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
MassLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40412/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.46680.4007.10785.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412667
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01163e556055d4918fe33453f3aff7ca3074da1e887492c418c1f5298c691c42/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 08:29:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aeld4vlakxkjdd7dgrj7hl7xziyhjwq6rb2jfrayyh2stddjdrba._file
Verdict:
unknown
Similar samples:
0e2359712d56cd2288252596dcb2b77f444c2aeb53b3a88846058aa327f8f4cb
MassLogger
15ac6b1a7fdb92b545dae44b1a88d6328629944771bdce75002637cdbf299027
MassLogger
3cac6951b870ea92b65b38ffbae3777f979788da0a8fac7ddc0cab11eb46e6e8
MassLogger
53a05748df93fa8c44d170d47a1abd61ec9ec27980867c7cb87d3d9841f70ccf
MassLogger
756fde810887452ab2533283973f2e582df198988bcafde9f20dc85e35f4d5c4
MassLogger
a540201f44f378a2bcade1e6190cd5784ae7cc0bc0f1138436afeb7b10ef7050
MassLogger
d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9
MassLogger
e0b95a4255056cbad985d2d8e2ef1ab22720b758af99bd8d15a5d2d81d650fff
MassLogger
e9111465f64f15932c37cbcf81cc493a8f8abf34470670729f5b63bb48f7d31b
MassLogger
f155dd64a514c9ea5ffc36222d1c66c8daf6416945dbc8e8dd7a5b2cefae02d3
MassLogger
+ 261 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200806-3b4hp3y4pj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01163e556055d4918fe33453f3aff7ca3074da1e887492c418c1f5298c691c42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 01163e556055d4918fe33453f3aff7ca3074da1e887492c418c1f5298c691c42

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/40412/
  
URLhaus
https://urlhaus.abuse.ch/url/426021/
  
Delivery method
Distributed via web download

Comments