MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
SHA3-384 hash: 018968b4625776fba4aba9c10a935dd70e35394be69c413f3361a61afbafe16cb970dd04211165b4b7cc01493320577c
SHA1 hash: 2fb79bef67a697450313f3d13ef121f9e6bd96a8
MD5 hash: a7d58a3a9f2ff3e1fefd69ed12cceeb1
humanhash: minnesota-wolfram-happy-aspen
File name:SecuriteInfo.com.Trojan.GenericKD.35282137.30229.32211
Download: download sample
Signature MassLogger
Create hunting rule
File size:727'040 bytes
First seen:2020-12-18 19:32:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Y5wNnMlwLsockASSoNDHyAWO2eB87G9/ik4p5l3Hacrtuqax:vNYE9ckIoyOwGtKp3HwB
Threatray 28 similar samples on MalwareBazaar
TLSH 5BF412323846D624C1990D79EA5254FC02ADEEB2F7B2E2C33197BB9E6478FD44A0D14D
Reporter SecuriteInfoCom
Tags:MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
305324844
Verdict:
Malicious activity
Analysis date:
2020-11-26 10:32:28 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/9b981e4f-aca0-4e77-8897-a4b4234ae27a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108496/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35282137.30229.32211.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a window
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for recently created files
Moving a recently created file
Changing a file
Changing an executable file
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Blocking the Windows Defender launch
Setting a single autorun event
Creating a file in the mass storage device
Launching the process to interact with network services
Enabling autorun by creating a file
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
4444_Ransomware Maoloa Snatch Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566599
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Disables security and backup related services
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Yara detected 4444_Ransomware
Yara detected Maoloa
Yara detected Ransomware_Generic
Yara detected Snatch Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332383 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 62 Antivirus detection for dropped file 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 11 other signatures 2->68 9 SecuriteInfo.com.Trojan.GenericKD.35282137.30229.exe 3 7 2->9         started        process3 file4 52 C:\Users\user\AppData\Roaming\...\bfsv.exe, PE32 9->52 dropped 54 C:\Users\user\...\bfsv.exe:Zone.Identifier, ASCII 9->54 dropped 56 SecuriteInfo.com.T...82137.30229.exe.log, ASCII 9->56 dropped 74 Creates an undocumented autostart registry key 9->74 76 Injects a PE file into a foreign processes 9->76 13 wscript.exe 1 9->13         started        15 SecuriteInfo.com.Trojan.GenericKD.35282137.30229.exe 501 9->15         started        signatures5 process6 signatures7 18 cmd.exe 1 13->18         started        78 Spreads via windows shares (copies files to share folders) 15->78 21 cmd.exe 15->21         started        process8 signatures9 70 Very long command line found 18->70 72 Disables security and backup related services 18->72 23 cmd.exe 18->23         started        26 cmd.exe 1 18->26         started        28 cmd.exe 1 18->28         started        32 6 other processes 18->32 30 conhost.exe 21->30         started        process10 dnsIp11 58 2.0.0.0 FranceTelecom-OrangeFR France 23->58 34 conhost.exe 23->34         started        60 3.0.0.0 AMAZON-02US United States 26->60 36 conhost.exe 26->36         started        38 sc.exe 1 26->38         started        46 3 other processes 26->46 40 conhost.exe 28->40         started        48 3 other processes 28->48 42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        50 7 other processes 32->50 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513/
Threat name:
ByteCode-MSIL.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 19:03:57 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
012cf160ecfb1550f8b2805d6741e42f0e289cc8c22081e5c7c35cd5c287db42
MassLogger
228cb0b4f58f72e44a6325c45da54adf0892deedcece6b010659f354f863c260
MassLogger
290452bb8eb4dfcc3cfb1590c8fb1b44427a3c9f0439ad5855e35bc39537a3a3
MassLogger
32dc5aca6f7a54f4755ff65364abf1334d054cf96f79b0d8dbc2a0657c5ec1c9
MassLogger
3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963
MassLogger
8611b66792009b09d0b2459319d53f4bc276400c55db9ebeb88527526d727156
MassLogger
985aeed489ef3a3af3b21b0adb1bc8a4e7d444522b742bfedee03da6879b7fc8
MassLogger
9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b
MassLogger
e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9
MassLogger
f7f3acea6b67e6b5db697777ab0bd656febfe648e4d79519010ba805e329fdc0
MassLogger
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware trojan
Link:
https://tria.ge/reports/201218-bbgk57hyaa/
Behaviour
Discovers systems in the same network
Kills process with taskkill
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Launches sc.exe
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Drops startup file
Reads user/profile data of web browsers
Modifies service settings
Stops running service(s)
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
MD5 hash:
a7d58a3a9f2ff3e1fefd69ed12cceeb1
SHA1 hash:
2fb79bef67a697450313f3d13ef121f9e6bd96a8
Link:
https://www.unpac.me/results/70c70f2d-be46-4142-aeab-59ee19562255/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/928372/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108496/

Comments