MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36e711a66774ed0b6457f8d442315a4d1b5d06781a8ab1254abda5ba824bb816. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36e711a66774ed0b6457f8d442315a4d1b5d06781a8ab1254abda5ba824bb816
SHA3-384 hash: 773a1994ca217913e2145446f2311c1138b84e02bcb7020de19e328eb361bc5ffe3e9e7d027ed5553f968c5fb05c0015
SHA1 hash: b8a95ba61136fb3526a10148c63c003b2e6d65d3
MD5 hash: 551477d574719f9e1f6e66d4233f263c
humanhash: moon-lithium-eighteen-mobile
File name:PO-1511.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:143'928 bytes
First seen:2020-10-29 13:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:hWwqXeUdcSq9uPxRfyLixpUuHd7mzlLOXs/GKrHzYXy:UAUSSA22+xpUuNmhLw8G+yy
Threatray 42 similar samples on MalwareBazaar
TLSH 17E3CF52BACDD423D59D2D3EE833C6FA56337E11EA12D30B6688BD193A727C34962580
Reporter James_inthe_box
Tags:exe MassLogger

Code Signing Certificate

Organisation:Adobe Inc.
Issuer:DigiCert EV Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jan 31 00:00:00 2019 GMT
Valid to:Feb 3 12:00:00 2021 GMT
Serial number: 06F24D9F4DB07BD7ECAD067F5EE26C29
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: F1D08D7B98504370C1D5C40DCD8D8DCEAB084E9095CEF544465C445A374A18B0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/80951/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader35.9004.2188.9184.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/516047
Signature
Deletes itself after installation
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 307132 Sample: PO-1511.exe Startdate: 29/10/2020 Architecture: WINDOWS Score: 80 27 Multi AV Scanner detection for dropped file 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected MassLogger RAT 2->31 33 2 other signatures 2->33 7 PO-1511.exe 16 6 2->7         started        12 vlc.exe 2->12         started        14 vlc.exe 2->14         started        process3 dnsIp4 23 185.172.110.244, 49736, 80 BLADESERVERSNL Netherlands 7->23 21 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->21 dropped 35 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->35 16 powershell.exe 16 7->16         started        file5 signatures6 process7 signatures8 25 Deletes itself after installation 16->25 19 conhost.exe 16->19         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36e711a66774ed0b6457f8d442315a4d1b5d06781a8ab1254abda5ba824bb816/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-28 23:03:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3trdjthotwqwzcx7dkeemk2junv2btydkflcjkkxws3vaslxala._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
188937c949c23138157a707a06cca97dda5f3adc3b6f98bd07088a321d5220a5
MassLogger
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
MassLogger
3005d49fd313fedcf242a6ba2c6ffc962ce86469fe1bce77f775e64457f7ea33
MassLogger
4585051dc6b7393255db1838a6ced5e5005da977ea7be332cc6540bcfe0379fc
MassLogger
a4336636fb933c27fbd31d4d08e3c888aa6a36e915e3d783f9dbce3c93ce7539
MassLogger
b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c
MassLogger
c9c5b4b76ac69632d5f5931198adb5d21d214c72d8524ffc60d7d6bbcd44cf03
MassLogger
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
MassLogger
e9f6a306988f2ef722e09399f0473f0d8623b23da0de1bb32e58e91d21a356e3
MassLogger
ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae
MassLogger
+ 32 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201029-fx5h35a1r6/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of web browsers
Deletes itself
Checks computer location settings
MassLogger
MassLogger Main Payload
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/80951/

Comments