MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31dbbb21f357a3c24fc9257a46fbf71c42b17e870a8a07d035d74eadb5d47c6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31dbbb21f357a3c24fc9257a46fbf71c42b17e870a8a07d035d74eadb5d47c6b
SHA3-384 hash: f648bafc3e1673754e60ac444735c9f8c3d28e627cdd35277b40ad86f73948bae6e36439a8cedfd26f34346ee8c9ed1b
SHA1 hash: dc40ea23e2cd22efdaea20888f5ac564f9818d4e
MD5 hash: bd60bbc229f4abd69c74feb885b11b79
humanhash: quebec-mobile-high-lemon
File name:bd60bbc229f4abd69c74feb885b11b79.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'165'824 bytes
First seen:2020-09-27 08:09:23 UTC
Last seen:2020-09-27 08:37:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:dxxeh6PWLGPH7L7TZ2+H8K/d9FmBxCm2fILTK:TxeheiGPHXz/ElKC
Threatray 628 similar samples on MalwareBazaar
TLSH B7456BDC722072EFC857D462DEA82CA8EA5174BB931F4203902755EDEA4D897DF244F2
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66228/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.18774.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/476017
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290458 Sample: dyIrlup1W2.exe Startdate: 27/09/2020 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Sigma detected: Scheduled temp file as task from temp location 2->39 41 10 other signatures 2->41 7 dyIrlup1W2.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\...\YkbnBRqtCfH.exe, PE32 7->21 dropped 23 C:\Users\...\YkbnBRqtCfH.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpF028.tmp, XML 7->25 dropped 27 C:\Users\user\AppData\...\dyIrlup1W2.exe.log, ASCII 7->27 dropped 43 Detected unpacking (changes PE section rights) 7->43 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->45 47 Injects a PE file into a foreign processes 7->47 49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->49 11 dyIrlup1W2.exe 15 6 7->11         started        15 schtasks.exe 1 7->15         started        17 dyIrlup1W2.exe 7->17         started        signatures5 process6 dnsIp7 29 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.195.221, 49723, 80 AMAZON-AESUS United States 11->29 31 nagano-19599.herokussl.com 11->31 33 api.ipify.org 11->33 51 Tries to steal Mail credentials (via file access) 11->51 19 conhost.exe 15->19         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31dbbb21f357a3c24fc9257a46fbf71c42b17e870a8a07d035d74eadb5d47c6b/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-09-27 08:11:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghn3wiptk6r4et6jev5en67xdrblc7uhbkfapubv25hk3nouprvq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
05807aa9786344f72723727a873d483e8c330b0500f94d119eaaf284324e7714
MassLogger
1d9e325f6d234c3d212243a3924f25a2e4acce0db718c57a52480e6994b5e173
MassLogger
27ed7853f8176995ba85c2fb099e49a6344c9d8afa38b2cb8d137032d96f9db8
MassLogger
3e24bc0f9fdba289c0ab90cd86709b32eb6903abc8f3843c07ca74d1af36a6a9
MassLogger
5d0fe828d087e58c38d1724aeced199e4fb352535621e09ab4875a2f960ddabb
MassLogger
90ff23943691446d2cf73e28cba8dcd44cc7dc2577cdca70caf839e2331b6447
MassLogger
9a8f261bab8c9489b141b7a1cadd5a780d436c33506824d8b4efa709501c98c1
MassLogger
d730df4850006dea47a1820961961672cc08042a07d4bace39568261d1de2ddc
MassLogger
e0b4bd94f0a84e21e5bd9c173ed19d44e1e1959ecf09f4b4e7ce047bf6c287e5
MassLogger
f8a621b4900824e4ae9ce13884bfc7e10c9867d0a578c71fe59680fe9523d56c
MassLogger
+ 618 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200927-33bmbrdajn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Unpacked files
SH256 hash:
e20de004f28db90c54c012e3212f1823502579ce193ebe6acdbf9a317b0a9086
MD5 hash:
76c3cbba50e630239c0f31e390ddf5c3
SHA1 hash:
27e4cdfddb7036309e779cea7e12b4912a113b2f
Link:
https://www.unpac.me/results/a26d743d-0222-464e-a412-0af1072d3dfb/
SH256 hash:
c3e364a86025b2f827fc8247509bd7077375937537eae7edcb962ffe803f5169
MD5 hash:
98e886e01d17468f8878f803e64f74f1
SHA1 hash:
39be3086acdb3d53614ab67fe69a01727ffe77ae
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/a26d743d-0222-464e-a412-0af1072d3dfb/
Parent samples :
31dbbb21f357a3c24fc9257a46fbf71c42b17e870a8a07d035d74eadb5d47c6b
f8a621b4900824e4ae9ce13884bfc7e10c9867d0a578c71fe59680fe9523d56c
64dff772856e4b4ef9913bf7289fc59a4ed60c51afed8131473defaed74e4ed3
SH256 hash:
c48ab50625e772afdeba8e97bf29402e173e7737b77fc40f9e6609d7c4e9d4cd
MD5 hash:
16bd8b486bd3bd62b5abb7c1ad4202e6
SHA1 hash:
b68a0dc421be2e2835e3a201839e512687aa74bb
Link:
https://www.unpac.me/results/a26d743d-0222-464e-a412-0af1072d3dfb/
SH256 hash:
785261875049471f6432827571071af39fdb06ec0a223224c12792201a9f66e5
MD5 hash:
e41b095949e16c551511c80acfc18ac2
SHA1 hash:
c1c9299481d8604297151f48ac8c790c9e920504
Link:
https://www.unpac.me/results/a26d743d-0222-464e-a412-0af1072d3dfb/
SH256 hash:
a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1
MD5 hash:
7c359500407dd393a276010ab778d5af
SHA1 hash:
4d63d669b73acaca3fc62ec263589acaaea91c0b
Link:
https://www.unpac.me/results/a26d743d-0222-464e-a412-0af1072d3dfb/
SH256 hash:
31dbbb21f357a3c24fc9257a46fbf71c42b17e870a8a07d035d74eadb5d47c6b
MD5 hash:
bd60bbc229f4abd69c74feb885b11b79
SHA1 hash:
dc40ea23e2cd22efdaea20888f5ac564f9818d4e
Link:
https://www.unpac.me/results/a26d743d-0222-464e-a412-0af1072d3dfb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 31dbbb21f357a3c24fc9257a46fbf71c42b17e870a8a07d035d74eadb5d47c6b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/410915/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66228/

Comments