MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c9ae5cd740c1da7060b92ddb33f3a3893e361aad45a2accc64d43bd9a1a4106. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	0c9ae5cd740c1da7060b92ddb33f3a3893e361aad45a2accc64d43bd9a1a4106
SHA3-384 hash:	caa65aa0fd4ec48caad70192da274fda80c9ed608637ebfdd7e6a3b7fc9dbbbc6e9fa2dd323c7ba3955342b2239fb946
SHA1 hash:	68147a8a6df961c600414cdd786bbf0caa966510
MD5 hash:	dfd6b2ff20c9d4a934b14ff63efc899d
humanhash:	london-social-stairway-potato
File name:	FV00620224400 009384766589.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'078'784 bytes
First seen:	2020-10-09 15:45:00 UTC
Last seen:	2020-10-09 17:16:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:K247LVmMlcPGbd88X+Y4+BONR54QfJzcSyAYX7x1rNTe:G7QkyG5tX+z+wX54FSyAkx5NTe
Threatray	287 similar samples on MalwareBazaar
TLSH	113512CA73D87BCDD4AB9A301F756D209A72FD6E462B860E0413D45E4D6C982DB003B7
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: e347122.name-servers.gr
Sending IP: 195.201.120.33
From: 720341@telkom.co.id
Subject: salinan pembayaran
Attachment: FV00620224400 009384766589.r15 (contains "FV00620224400 009384766589.exe")

MassLogger FTP exfil server:
ftp.persisiciptautama.com:21

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69591/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/486917

Signature

Adds a directory exclusion to Windows Defender

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c9ae5cd740c1da7060b92ddb33f3a3893e361aad45a2accc64d43bd9a1a4106/

Threat name:

ByteCode-MSIL.Trojan.NanoBot

Status:

Malicious

First seen:

2020-10-09 11:57:58 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bsnoltlubqo2obqlslo3gpz2hcj6gynk2rncvtggjvb33gq2ieda._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

0e27fff0e39073727446b880aca45cf3a065e450308c36b06374233318d7833c

MassLogger

7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5

MassLogger

8878c46875d3b0d420bd76508490e5c6df7a55359d1d039f0edb145e836addb1

MassLogger

9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

MassLogger

9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d

MassLogger

ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366

MassLogger

dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced

MassLogger

ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d

MassLogger

f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45

MassLogger

+ 277 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger

Link:

https://tria.ge/reports/201009-12clgrhtqn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

0c9ae5cd740c1da7060b92ddb33f3a3893e361aad45a2accc64d43bd9a1a4106

MD5 hash:

dfd6b2ff20c9d4a934b14ff63efc899d

SHA1 hash:

68147a8a6df961c600414cdd786bbf0caa966510

Link:

https://www.unpac.me/results/d97458cc-4ab3-41ce-a41b-693b270284c5/

SH256 hash:

13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43

MD5 hash:

109cedae3c384a1913107f1efad2b7c8

SHA1 hash:

1f7f35b0ed85fa12bb839cbce698e59a30813420

Link:

https://www.unpac.me/results/d97458cc-4ab3-41ce-a41b-693b270284c5/

SH256 hash:

6ffbfb8c055b70bca7166f04d59d0c5cdbc7ca05b7783319150bdb8e06827cb4

MD5 hash:

3610e1c5792ef25c4df3511339883d8b

SHA1 hash:

5fc8f14cc6c5216332e82bf6019a757f65e5acc6

Link:

https://www.unpac.me/results/d97458cc-4ab3-41ce-a41b-693b270284c5/

SH256 hash:

9bbb5ed19ba79565a5e37ef1a4bc98426a4865683386dba519b90434ae954333

MD5 hash:

c8df97ba9430d688772d7594a3d1b50e

SHA1 hash:

6959623d249cced9cccb17330b0a81687ca7e956

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/d97458cc-4ab3-41ce-a41b-693b270284c5/

Parent samples :

8878c46875d3b0d420bd76508490e5c6df7a55359d1d039f0edb145e836addb1
0c9ae5cd740c1da7060b92ddb33f3a3893e361aad45a2accc64d43bd9a1a4106
bf5bfc937843a28416a3481a7ab598e3e5ce6020c8a651a836a27ca7eca06410
cf68e1b1e8e89cf03b0d721957c794936947c8cf5f8c30401c20e075e4b37c6e
19d2886d97bf7362c767b77c7a9dec1cdf71c7606a3ceb035fe25e8b8bebddef
f94d7839e0a58e3c070f7c8d5a08558d10447c950388c9398fbb56917b4dc855
087016e068280f25be110f04b962e738ae3099344e053d914810801acd28a2cb

SH256 hash:

655919c44045b3b41305c514e4458d85992cb2ebcba38f3a814b90240d81f2dc

MD5 hash:

103fff24260eb122c9b09f37dc24d49e

SHA1 hash:

d22e0f9cdf0bf82e21d563ca163bdcbd8638f0c1

Link:

https://www.unpac.me/results/d97458cc-4ab3-41ce-a41b-693b270284c5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c9ae5cd740c1da7060b92ddb33f3a3893e361aad45a2accc64d43bd9a1a4106

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf