MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14c72397b03fe9de15f1d70e2f8f75a52d92b372423edd1d73411f489c47cf62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14c72397b03fe9de15f1d70e2f8f75a52d92b372423edd1d73411f489c47cf62
SHA3-384 hash: 49924ae6b022b1752b94511f5bccd2b185d494faf30e0008ac9261a56fe2e698e25fd7ee2ca64ead9512dea4348d00d4
SHA1 hash: f0a7b0cce5eaea27b7b29239533dcd0fc21e5931
MD5 hash: 0e0341b7eb3733d1b7f4e3e996d3b421
humanhash: three-fourteen-seven-beer
File name:38756363po78656.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:734'208 bytes
First seen:2020-10-08 19:12:25 UTC
Last seen:2020-10-08 19:24:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8O3XfgOwAn0w/mpwuqJBgVjl6k6Q+QLxAOy6UH1urz/kPwnl1osTUbQtqD4R+yjZ:8ofJwglWnPbn9e6UMz/ywl1osT7+yrs
Threatray 204 similar samples on MalwareBazaar
TLSH 23F4BEC93A19669ECC0EC070C9364F769700A8657696C303FD23F99D7C69B92EE03D96
Reporter Racco42
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
DNS request
Sending an HTTP GET request
Creating a window
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486022
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 295458 Sample: 38756363po78656.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 56 nagano-19599.herokussl.com 2->56 58 elb097307-934924932.us-east-1.elb.amazonaws.com 2->58 60 api.ipify.org 2->60 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected MassLogger RAT 2->68 70 8 other signatures 2->70 10 38756363po78656.exe 1 2->10         started        14 apdate.exe 1 2->14         started        signatures3 process4 file5 48 C:\Users\user\...\38756363po78656.exe.log, ASCII 10->48 dropped 72 Detected unpacking (changes PE section rights) 10->72 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->74 76 Injects a PE file into a foreign processes 10->76 16 38756363po78656.exe 15 7 10->16         started        21 38756363po78656.exe 10->21         started        78 Multi AV Scanner detection for dropped file 14->78 80 Machine Learning detection for dropped file 14->80 23 apdate.exe 14->23         started        signatures6 process7 dnsIp8 50 elb097307-934924932.us-east-1.elb.amazonaws.com 50.19.252.36, 49735, 80 AMAZON-AESUS United States 16->50 52 192.168.2.1 unknown unknown 16->52 54 2 other IPs or domains 16->54 46 C:\Users\user\AppData\Roaming\...\apdate.exe, PE32 16->46 dropped 62 Adds a directory exclusion to Windows Defender 16->62 25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        29 powershell.exe 25 16->29         started        file9 signatures10 process11 process12 31 apdate.exe 25->31         started        34 conhost.exe 25->34         started        36 timeout.exe 1 25->36         started        38 conhost.exe 27->38         started        40 schtasks.exe 1 27->40         started        42 conhost.exe 29->42         started        signatures13 82 Injects a PE file into a foreign processes 31->82 44 apdate.exe 31->44         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14c72397b03fe9de15f1d70e2f8f75a52d92b372423edd1d73411f489c47cf62/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 19:14:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ctdshf5qh7u54fpr24hc7d3vuuwzfm3sii7n2hltiepurhchz5ra._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1
MassLogger
3662a3b002337c0da8ad94925e3c183f0a2d35b0932f9d40b89643335f10564d
MassLogger
8c3ea92bf0620d3126691eb0d463418170b88034e40dab26e8049ea5ceefd1f1
MassLogger
ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366
MassLogger
c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca
MassLogger
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
MassLogger
d8aebda89bb5717256e78b44dd9e9ef54179d3590f7a6125da452e877c083c48
MassLogger
d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb
MassLogger
dd5b3d947daecc91aa36e124a5bdcb1cb6b10fdb2d905a9a1e067bd6bdb4065b
MassLogger
f5d3f20a5e7fc84496267536833b84b4dce1c5cc168014215f396490c1430857
MassLogger
+ 194 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201008-8cntmqspbj/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
14c72397b03fe9de15f1d70e2f8f75a52d92b372423edd1d73411f489c47cf62
MD5 hash:
0e0341b7eb3733d1b7f4e3e996d3b421
SHA1 hash:
f0a7b0cce5eaea27b7b29239533dcd0fc21e5931
Link:
https://www.unpac.me/results/13754f0b-9a13-45ba-8373-b8b987ad8431/
SH256 hash:
50516a95d5de86734f348ab67c5f08aa86c057acf1c3f6784b041a8c6e468893
MD5 hash:
f071b8eab227b18b0757140b73c44405
SHA1 hash:
bca9f2ab7f42c4db0bea91e2feec5aadf8807f66
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/13754f0b-9a13-45ba-8373-b8b987ad8431/
SH256 hash:
2bfca5903c8032f5887b86187ada70fa74ba8d4a2ee66e35c813764236acfd99
MD5 hash:
17d759892e413f4c9d3fa0c3682a5da3
SHA1 hash:
634ba4a6a019cac882a249013a3149ef7536f364
Link:
https://www.unpac.me/results/13754f0b-9a13-45ba-8373-b8b987ad8431/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/13754f0b-9a13-45ba-8373-b8b987ad8431/
SH256 hash:
6ba7158caa11c4c53c5a0ac3e03df156bff141f35ca7680efb6dde565f6978d8
MD5 hash:
6c0c4cba6c667ed1f627f280f307049c
SHA1 hash:
f2db3551cebfbb52d383636fc85446ad81793ab7
Link:
https://www.unpac.me/results/13754f0b-9a13-45ba-8373-b8b987ad8431/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14c72397b03fe9de15f1d70e2f8f75a52d92b372423edd1d73411f489c47cf62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 14c72397b03fe9de15f1d70e2f8f75a52d92b372423edd1d73411f489c47cf62

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69359/

Comments