MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5
SHA3-384 hash: 64b7adb15d5da6c20025d9f447b5c02f93325d875a88dec33d77343bd7683da06b056da57d9b13fbd223a0947a1f2a80
SHA1 hash: 3c7ec69d79271f47d0237d947220b5c0cc74cf8e
MD5 hash: b12eb506a5ee264b880686ac4bb29e8d
humanhash: quiet-ack-speaker-solar
File name:b12eb506a5ee264b880686ac4bb29e8d.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:186'368 bytes
First seen:2020-10-13 14:55:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:gdXWYV9n6Nm2G9NfPyPiuokdJ23JPOEceN9N06qx7ZMtcuuVa8Swsm:gdmO9n6Nm2gNfP+iIUZWEcmz0PTMeuui
Threatray 476 similar samples on MalwareBazaar
TLSH 4004DA28CD56D833FCAE7BF6F46049EAAB2094157C12EE0F45860EC68D1FBC5184B92D
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70534/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.ch.20503.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Creating a file in the Windows subdirectories
Launching a process
Creating a window
Changing a file
Setting a global event handler
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
Forced system process termination
Creating a process with a hidden window
Possible injection to a system process
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/489951
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297447 Sample: TaZW21ma0P.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 88 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Machine Learning detection for sample 2->64 66 2 other signatures 2->66 8 cmd.exe 1 2->8         started        10 TaZW21ma0P.exe 1 2->10         started        14 taskkill.exe 1 2->14         started        process3 file4 16 2n2az3as.exe 2 8->16         started        19 conhost.exe 8->19         started        52 C:\Users\user\AppData\...\TaZW21ma0P.exe.log, ASCII 10->52 dropped 68 Injects a PE file into a foreign processes 10->68 21 TaZW21ma0P.exe 4 10->21         started        24 conhost.exe 14->24         started        signatures5 process6 file7 54 Antivirus detection for dropped file 16->54 56 Multi AV Scanner detection for dropped file 16->56 58 Disables Windows Defender (via service or powershell) 16->58 26 powershell.exe 21 16->26         started        28 powershell.exe 23 16->28         started        30 powershell.exe 16->30         started        34 8 other processes 16->34 50 C:\Windows\Temp\2n2az3as.exe, PE32 21->50 dropped 32 cmstp.exe 9 7 21->32         started        signatures8 process9 process10 36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        42 conhost.exe 34->42         started        44 conhost.exe 34->44         started        46 conhost.exe 34->46         started        48 4 other processes 34->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 14:57:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1643306adbe8c7e38ee965ab974c1d074afc671c0e5aa0c2b50a18cc67036a50
MassLogger
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
MassLogger
5e94b03664c3674f3eab1e750ffde61d3d21d938ec0ce21f6f64bc9362aeb084
MassLogger
6ff29c14c56cbe768cd5674a752b8be053a3ce8d80f4cf0ab58bcd266ca1297d
MassLogger
79541840f37314c88b923c55cfa29bc952a514242edce7b9a54a937a6f5ed985
MassLogger
878e1a1b65cc05eb728bf4ce85b7ad87576bbc9c8465d1348c71cef4e8c098f2
MassLogger
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
MassLogger
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
MassLogger
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
MassLogger
f86974cc3a2a1d06dcc4effe66d6e27380dd4e4e4fe254a1b88a3ea3c7e681c4
MassLogger
+ 466 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201013-mt2ryksnv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetThreadContext
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5
MD5 hash:
b12eb506a5ee264b880686ac4bb29e8d
SHA1 hash:
3c7ec69d79271f47d0237d947220b5c0cc74cf8e
Link:
https://www.unpac.me/results/a800aec9-8d70-4377-be1f-1a63a3689167/
SH256 hash:
3790a7acbedf2250806c6d467fe425c6aec20eb58ba5b01c71e2e5e864e32471
MD5 hash:
d6e546a0de7807960b0ca8e4f073168d
SHA1 hash:
4706f6e06c32b1ad3165104a854dabab28a13002
Link:
https://www.unpac.me/results/a800aec9-8d70-4377-be1f-1a63a3689167/
SH256 hash:
86c6510af4d1f82e3db07d491d25533a9cd2b5ffe5260befde78656bcbbb14c2
MD5 hash:
c073a5bd013041059063bb22412e5210
SHA1 hash:
6a72cfb6a58b45c0016316c1f1476ac8bf56a177
Link:
https://www.unpac.me/results/a800aec9-8d70-4377-be1f-1a63a3689167/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/a800aec9-8d70-4377-be1f-1a63a3689167/
SH256 hash:
f7dddc64672f015553168ccbdfe70e44a8ada4d20f2314c5b5c9eed171eb60d6
MD5 hash:
1ac2039d65e22148cda817e08940d7f0
SHA1 hash:
4d627e1259caba34cc08e8ccfbb4f65ff59c2118
Link:
https://www.unpac.me/results/a800aec9-8d70-4377-be1f-1a63a3689167/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/a800aec9-8d70-4377-be1f-1a63a3689167/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/439722/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/70534/
  
URLhaus
https://urlhaus.abuse.ch/url/686529/
  
URLhaus
https://urlhaus.abuse.ch/url/686533/
  
URLhaus
https://urlhaus.abuse.ch/url/446500/

Comments