MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cfaf73ddf6e3feddd2f730a8f047bb8e578fba3f39ea01393eba0fa80ebe13e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cfaf73ddf6e3feddd2f730a8f047bb8e578fba3f39ea01393eba0fa80ebe13e
SHA3-384 hash: 34cca8b9fec2ffca6133e360a1ca8dc59cd1e2ac991ef26b821564a5d0ca7e3b22eede7a5cf4ac59809e919d120bb9ca
SHA1 hash: 4c33e182fd061c32ca07998ea9c400f4461dc7ff
MD5 hash: 770794b83e35334b509c03028e6e9867
humanhash: hotel-seventeen-bulldog-music
File name:SecuriteInfo.com.Artemis770794B83E35.3724
Download: download sample
Signature MassLogger
Create hunting rule
File size:435'200 bytes
First seen:2020-11-24 11:14:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'820 x AgentTesla, 19'743 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 12288:oxBWtMfBXnmbBUvibZJbUFO8fUIdfbr4eFTb:oxBWtMJnmb26bbgg8cKfX4eFTb
Threatray 49 similar samples on MalwareBazaar
TLSH 1894125A1BCD8B26C29E19FAE6C072218374FE6B2BDAD35E38D841384F113D7910761B
Reporter SecuriteInfoCom
Tags:MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Sending a UDP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545922
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cfaf73ddf6e3feddd2f730a8f047bb8e578fba3f39ea01393eba0fa80ebe13e/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 11:15:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
394460b6c0b33b4e5d45308e968e765627fb9f34d4ad8c51b8922543d6bf2490
MassLogger
3cb1955eec13265edab82971675922208f0ef9d05ee1107bc321be2eb6633ef2
MassLogger
6cb35d59850a6e43f2b6cfe1de03a41d81ab9bc07bfdb1b4b1f3cadba53d3086
MassLogger
6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6
MassLogger
78491e950a624399f497cedd25cae2231223b1bcd2f93379480b3c9edb4c6a92
MassLogger
a328acf6d3bec1a1f6f3b304d6aac3ecdf36d074bb398e8d0245423ddbb9fc72
MassLogger
a8883460eb4eda4b981767c15ae6fadf5dd2c5ff7d8d8325b417bbdf71dece1a
MassLogger
bc36fa2314f4e45645af22ca75887b7b627de4a65bfd1d274f18e7fc1975c8e4
MassLogger
dc4475e7d864b18f90b1a3b812d6f1e98d46fbb24771405c1b15c9c1cba8a10f
MassLogger
ecf592d2aed1d17b4c75e72a40edeb9b4396c8c9181cee7519ebe63bb7391870
MassLogger
+ 39 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201124-rhrw3p2fqn/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
0cfaf73ddf6e3feddd2f730a8f047bb8e578fba3f39ea01393eba0fa80ebe13e
MD5 hash:
770794b83e35334b509c03028e6e9867
SHA1 hash:
4c33e182fd061c32ca07998ea9c400f4461dc7ff
Link:
https://www.unpac.me/results/d451447d-a24e-48a7-99a7-eac214346f30/
SH256 hash:
c7107d7b877fe94f3e0235e019cc0acf2fd57cbd6aee624206b07ce7283bccdd
MD5 hash:
e13eaa821d5bc7b4d01259a48bf8861c
SHA1 hash:
2faf94b79f43531b6df4099a572ecf833ab49762
Link:
https://www.unpac.me/results/d451447d-a24e-48a7-99a7-eac214346f30/
SH256 hash:
2a43f8aec3d1463a8ed371cc400613ca9dc45fc5362f7b078c261f1a8f54f21e
MD5 hash:
b63fb7f8f88bb99123a3d4fbfe68cbfd
SHA1 hash:
5aa755d96ba7a2897f7bea052273ede929967dff
Link:
https://www.unpac.me/results/d451447d-a24e-48a7-99a7-eac214346f30/
SH256 hash:
b8f68b9d6bf69c0e77079b69e81eb4d9182892a32ceec13a57ca23a79f5f6535
MD5 hash:
09aa581e83f9a6467ed261926db33586
SHA1 hash:
ac83dfea15a766efeeb7e67bfaf305bdfed91faf
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/d451447d-a24e-48a7-99a7-eac214346f30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cfaf73ddf6e3feddd2f730a8f047bb8e578fba3f39ea01393eba0fa80ebe13e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Saudi_Phish_Trojan
Create hunting rule
Author:Florian Roth
Description:Detects a trojan used in Saudi Aramco Phishing
Reference:https://goo.gl/Z3JUAA

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 0cfaf73ddf6e3feddd2f730a8f047bb8e578fba3f39ea01393eba0fa80ebe13e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/848839/
  
Delivery method
Distributed via web download

Comments