MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4
SHA3-384 hash: ad2799f3fe04b41f7e0a55ea1ccd15dd1b4e277cebfcca954a5f95d412a5088ab13146a5042efee5809e97d5a87a1914
SHA1 hash: d2bf49a90756bcfd0057802944aebb09dd0184ef
MD5 hash: 13ac205992d2d91cf8ddbabe82799abd
humanhash: wolfram-harry-ack-carolina
File name:WIRE REMITTANCE SLIP.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'783'320 bytes
First seen:2020-10-06 23:26:17 UTC
Last seen:2020-10-06 23:55:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:Ky037X+ByELF2EpvFfnl1xMXbeCPYUcF3lw81G7Fi+HSb5+vTsJ:Ky0rX+ByELF2Ep9xMTPYUWDwirwTm
Threatray 265 similar samples on MalwareBazaar
TLSH F0851229775ABBB4F83DEB301015638601D6B2C02DDF802EFF9ABD74A7A19541049F9B
Reporter FORMALITYDE
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Launching a process
Reading critical registry keys
Sending a custom TCP request
Creating a file
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/483451
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4/
Threat name:
ByteCode-MSIL.PUA.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 23:28:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dctlrfq3vu4opdreebweofw4geofhoreytmtb7bs4stqwobbw32a._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
MassLogger
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
MassLogger
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
MassLogger
72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8
MassLogger
75b393eaeeac4e4f3ef5ef787a853d4e4ed2594522c5421bb0d47ddfa0db412c
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d
MassLogger
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
MassLogger
e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6
MassLogger
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
MassLogger
+ 255 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware
Link:
https://tria.ge/reports/201006-bzj655jata/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2904c66b0d26f940b29ff4dffe3c6e28dfb6e9324de3913bcdf9de4d6531643c
MD5 hash:
ed32494c6128418cdcd0fc9200aa6f9b
SHA1 hash:
5becf1881eddb78c29275725fc075a5bf7ff8068
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/05d1c1ff-1b5b-4717-9807-3379cf3bd77d/
Parent samples :
ac82ad815fbc2727215d5caa1488944d5aa2c29d7820343f85f29c08fbbbfcce
18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4
SH256 hash:
e327fab9eb8a9309c5f9a7a72ad675c11a761ec0d360d5134b2f355617438968
MD5 hash:
50de53fbe72d64f5b092223a5cf024b1
SHA1 hash:
6992fd7f176a7f274f9fc4f86e8718af5fe983b4
Link:
https://www.unpac.me/results/05d1c1ff-1b5b-4717-9807-3379cf3bd77d/
SH256 hash:
a9bdf8ff2cf545d3c786350fb5850a44b1fed970637c1cc6894f0f612a3d6d33
MD5 hash:
6051579116be38069e62aba2a2fed804
SHA1 hash:
e68b369bc131a32d5233ee395f47b337c2469042
Link:
https://www.unpac.me/results/05d1c1ff-1b5b-4717-9807-3379cf3bd77d/
SH256 hash:
18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4
MD5 hash:
13ac205992d2d91cf8ddbabe82799abd
SHA1 hash:
d2bf49a90756bcfd0057802944aebb09dd0184ef
Link:
https://www.unpac.me/results/05d1c1ff-1b5b-4717-9807-3379cf3bd77d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68696/

Comments