MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b756d9f63963c6272fa1873b1e5d25e569201c44f09f83b103b8ff2f99eb443. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b756d9f63963c6272fa1873b1e5d25e569201c44f09f83b103b8ff2f99eb443
SHA3-384 hash: a8baa5c7ec40f8770f73c3bfdd5622a23ac70a54f551e7d4defc5b19ea63fd145b25c27b1ef90c9894e5705335fa1272
SHA1 hash: cc3a3b766ebbd81f56c759bc0363d12c7c7df92f
MD5 hash: 8c63ee48a3ee135f8a24ba6dbc960d38
humanhash: earth-eight-mars-single
File name:SecuriteInfo.com.Variant.Strictor.275243.4783.12617
Download: download sample
Signature MassLogger
Create hunting rule
File size:162'736 bytes
First seen:2022-09-08 09:47:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:D0f6jMeqPqyow7Wje/6pNZuq8AdKsBPDwbMsykRRjEMSeQ0tyvBHMc:D0UWejzuqIsebMsFXsBMc
Threatray 2'217 similar samples on MalwareBazaar
TLSH T19AF38D887654B8CFC82BC932C9DA4D609BA07C6B5717C217B09B37AC895D7DBCE050E6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Variant.Strictor.275243.4783.12617
Verdict:
Malicious activity
Analysis date:
2022-09-08 09:49:53 UTC
Tags:
evasion stealer quasar
Link:
https://app.any.run/tasks/3f4b5183-b063-4af2-a8fd-e5b001924317

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308696/
Detection(s):
SecuriteInfo.com.Variant.Strictor.275243.4783.12617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6319ba591d4a849311e130af/reports/492142fe-fca1-4b1f-b765-cb1366827c1b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34421640-b1a6-43c8-a2ad-dd11604dad77
Result
Threat name:
BluStealer, DarkCloud, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066986
Signature
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected BluStealer
Yara detected DarkCloud
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b756d9f63963c6272fa1873b1e5d25e569201c44f09f83b103b8ff2f99eb443/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 09:48:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dn2w3h3dsy6ge4x2dbz3dzoslzljeaoej4e7qoyqhoh7f6m6wrbq._file
Verdict:
malicious
Similar samples:
3909f1e1d41d36e0f62bd770841a0a8ea28c2b7d52f2e2fc77457538fbd7a291
MassLogger
3e2842c40ff26c60b69e08934b9b80fefe0cd2d091fbd6fa91a2b97f3487137c
MassLogger
52e3ee0168f34ab782a8103dc77814efe970b2a0fc5636a7266a4ea3e9bae2e7
MassLogger
6566cde4ba73cc0316c3de8c2c23c90aa6f76bd4d824d45b5b5c1d23d2655d16
MassLogger
711d00503de479cd6ffd1492e2d42eecd96c9a946c0d6bb088dd37c696a76f00
MassLogger
8f35478a4170bb13e9c66e9d01f701c07cfdaff3ca52bfccd718bca15dbb0f21
MassLogger
b44fca03a737dabed36acbe2a42cac044fb33e5571a919c669926b1aba3f4150
MassLogger
beb46012919018735132f1ca08c31ac870b2be20e97a4b3fac463616c5504fa0
MassLogger
c362ad9f9f4035ccc651762387b567234b98f24d73e5588f0ab35c7face15fab
MassLogger
fdeafb2bf6cc3d798d2fa099f3619d096f17a57b89172020922c2a63f48d8aeb
MassLogger
+ 2'207 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection spyware stealer
Link:
https://tria.ge/reports/220908-lsrstsbdel/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
BluStealer
StormKitty
StormKitty payload
Unpacked files
SH256 hash:
c149ddcb097205affad50d1216155d48bb4424b7626ac13453fba3f5117d038a
MD5 hash:
b450630ff430355248f7f20eb8c696ef
SHA1 hash:
3165daf5a3957c472b292c9e2adc538843151fa1
Link:
https://www.unpac.me/results/efcdd9de-9b88-4eca-96b6-5d453ef9c465/
SH256 hash:
b589871bf12692ed73f3383e32e8701ac1c357b56e5d0b272fade5f7ef89260f
MD5 hash:
2771600c4cba7301fd1e79b016d62912
SHA1 hash:
4f3298320c3c950e8cf0b23669da66a367e368e1
Link:
https://www.unpac.me/results/efcdd9de-9b88-4eca-96b6-5d453ef9c465/
SH256 hash:
eceffd5170c7e343f0afdd919f19972f7202cb84fb3558f6bd4aafd166183959
MD5 hash:
e0507a69b1107411e5367fa1b94d8d0d
SHA1 hash:
15830bb47eaa58f9959b07d0a36b751dee6ea67d
Detections:
win_agent_tesla_g2
Create hunting rule
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/efcdd9de-9b88-4eca-96b6-5d453ef9c465/
SH256 hash:
1b756d9f63963c6272fa1873b1e5d25e569201c44f09f83b103b8ff2f99eb443
MD5 hash:
8c63ee48a3ee135f8a24ba6dbc960d38
SHA1 hash:
cc3a3b766ebbd81f56c759bc0363d12c7c7df92f
Link:
https://www.unpac.me/results/efcdd9de-9b88-4eca-96b6-5d453ef9c465/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b756d9f6396/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b756d9f63963c6272fa1873b1e5d25e569201c44f09f83b103b8ff2f99eb443

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308696/

Comments