MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e003aa6499e75fcb47a0288d1e43b523b13b394bb8b692eae0b314a124d6f26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e003aa6499e75fcb47a0288d1e43b523b13b394bb8b692eae0b314a124d6f26
SHA3-384 hash: b540a88d6b2ba8a53130bcc0f54759304ad97edfb1970dfaccccf8540268ec88cf9ef290e74391b9fb5af6c2b0ab2650
SHA1 hash: 2821a319fbfb2dd492b06ea26b444bbf225abad3
MD5 hash: 518f6ed1cbce45a852df7606e708e409
humanhash: tennis-blue-leopard-six
File name:SQ-107840 ecola.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:547'328 bytes
First seen:2020-11-25 14:12:15 UTC
Last seen:2020-11-25 15:57:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:o3ORZ6gcogIDqATwxTtuDgDd2KLH9Rvc3B:o3O6gco9VCTIEd1LoR
Threatray 547 similar samples on MalwareBazaar
TLSH BBC41214F778A661C93CA672EDA7804503314597B2D2E609B8CA32495B17FDB08D2FEF
Reporter James_inthe_box
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105646/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Gathering data
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/547021
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322616 Sample: SQ-107840 ecola.exe Startdate: 25/11/2020 Architecture: WINDOWS Score: 96 34 g.msn.com 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 8 SQ-107840 ecola.exe 1 6 2->8         started        12 vlcc.exe 2 2->12         started        14 vlcc.exe 3 2->14         started        signatures3 process4 file5 28 C:\Users\user\AppData\Roaming\...\vlcc.exe, PE32 8->28 dropped 30 C:\Users\user\...\vlcc.exe:Zone.Identifier, ASCII 8->30 dropped 32 C:\Users\user\...\SQ-107840 ecola.exe.log, ASCII 8->32 dropped 44 Injects a PE file into a foreign processes 8->44 16 SQ-107840 ecola.exe 2 8->16         started        18 vlcc.exe 12->18         started        20 vlcc.exe 2 14->20         started        signatures6 process7 process8 22 WerFault.exe 23 9 16->22         started        24 WerFault.exe 18->24         started        26 WerFault.exe 19 9 20->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e003aa6499e75fcb47a0288d1e43b523b13b394bb8b692eae0b314a124d6f26/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 14:11:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyadvjsjtz27znd2akendzb3ki5rhm4uxofwslvobmyuuesnn4ta._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0bb9226c32e2505fc4f25a368e909afd29152096ac001aa604eda6ca16b34a3f
MassLogger
31b06ca8f90f735bd3b209e576db1da2a5ab7f661b58f85eaabcde2181978003
MassLogger
5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc
MassLogger
5f53adb34adbcb6eeec29d48e9d80a401d1476eff2e826cb2c7ac02d8d7e2785
MassLogger
85d37e778b87935b7cf08cda721089885e045e50444643074a22b53fa2446bde
MassLogger
ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366
MassLogger
cc8e79ce79d0078b6483062f8fc8d187f5fdcf92c9f51db25551a19d22af0a87
MassLogger
d0f1b190868c2b25c602e6eee551a39fe677678d6e7dc45eb304fa82a5760799
MassLogger
e8fedfa7d06811f116ce712ea9e2c96918bc4e168105e092354ebd5f708319b7
MassLogger
f83ad58372165b89222b164f3da6a0b4edad02409d13df77e713ad860a6489e4
MassLogger
+ 537 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201125-nhby4kyqka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
ServiceHost packer
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
9a62bef876195df05472b7fe3fe3cd24f6bce1ad176a59b2a8ec751312238d27
MD5 hash:
3ffebb4c7be76a22036df7a6cd0ac521
SHA1 hash:
2019c2a343f841d4d57637efad54b91dd3571e35
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/ec72ff4a-477f-46ef-a088-89033a0a4ada/
SH256 hash:
5dce254e723fefc349c389f16668629170c1d43ea9aff68f13f16b742cd30930
MD5 hash:
adf8c7f4d86afdd419a9b1746fdd16b9
SHA1 hash:
90b22cd762c398ae5f8848327ee3ff98e5b10173
Link:
https://www.unpac.me/results/ec72ff4a-477f-46ef-a088-89033a0a4ada/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/ec72ff4a-477f-46ef-a088-89033a0a4ada/
SH256 hash:
1e003aa6499e75fcb47a0288d1e43b523b13b394bb8b692eae0b314a124d6f26
MD5 hash:
518f6ed1cbce45a852df7606e708e409
SHA1 hash:
2821a319fbfb2dd492b06ea26b444bbf225abad3
Link:
https://www.unpac.me/results/ec72ff4a-477f-46ef-a088-89033a0a4ada/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e003aa6499e75fcb47a0288d1e43b523b13b394bb8b692eae0b314a124d6f26

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/105646/

Comments