MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
SHA3-384 hash:	7e1ba5ae51422dbf9d8f01dfee4cae1b70b106165a80ae4aa9ca1af7f5dfb209375fc00f7081cf2e0a3c69feac8b0d3c
SHA1 hash:	c49e51e38c8e3988e9782dd717e1c5c45315c5f9
MD5 hash:	a2465206c40be3fed6b64591b60eba67
humanhash:	equal-zulu-friend-saturn
File name:	Halkbank,doc.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'219'584 bytes
First seen:	2020-11-05 08:27:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:05Gdjdzxix9ykzydvvZ83e8ewG5yZoVbyTPPB77Ee9hIHvNeK+bsf:Wi0yqydvhUei1ZfPJ7Ee9hIHklbw
Threatray	457 similar samples on MalwareBazaar
TLSH	4B45D0FA6242D66AC80F043FF84B246193D9DB6E99FC904647C5F11D127C6CEA6AC4CB
Reporter	abuse_ch
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/83119/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Launching a process

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/521086

Signature

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62/

Threat name:

ByteCode-MSIL.Backdoor.NanoBot

Status:

Malicious

First seen:

2020-11-05 07:01:02 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g6ez5qv3fl44ui33kryh2xt737zgdc56oqyuj5y2gm4n5c6kfrra._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

469a999081f85b628a17c458feaa87c21afa26376275c374551917bb50b0bb95

MassLogger

8bb96bc7a886ac113b6fbbd8c07e7e6629fc695d7558a28cb8b0fa6c77ce9100

MassLogger

a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2

MassLogger

c930deb75ebc8fd117d585898358df69af8ce6ffe9569ef5f47ad9fc6f26d01e

MassLogger

ca461421154f0bfaa9b24b0ed5ea776ddeffc9775e3fdb4da1339dcc352468c6

MassLogger

d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37

MassLogger

d40978f6bcf9982f5d3147ce9717eb72435068525b91cad816cafd7cb4711bbf

MassLogger

e6dfcee5a6edf1015136b0173ff2bb953982545f581ecf4a6fdd922c2818c609

MassLogger

fa655773a5d44061edbaeedb2b3e31597bcefe870c47fdefdb39ea0bb072d31d

MassLogger

+ 447 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger persistence spyware stealer

Link:

https://tria.ge/reports/201105-w6jmc8e6la/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/dffd2841-fdb9-4fb6-ac4f-bea1624b8201/

SH256 hash:

6f483b6b23f751e184dc9ed4b6e942c0c1a5bb4540cd263c2b76745120b140c2

MD5 hash:

0a6667f22fb48f5c68e4d02979bb9038

SHA1 hash:

23ba571b1590e6ad1b81c43973a26f4e2fea225b

Link:

https://www.unpac.me/results/dffd2841-fdb9-4fb6-ac4f-bea1624b8201/

SH256 hash:

d2e8fdda571fab2369b8ef03a31599cca12769b671f4b6fdd834be409c69e325

MD5 hash:

7812283b6755d64387b920d1647e23a7

SHA1 hash:

5de53822f2b69758fdd44cd4acff130fd3e1499d

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/dffd2841-fdb9-4fb6-ac4f-bea1624b8201/

Parent samples :

d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8

SH256 hash:

37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62

MD5 hash:

a2465206c40be3fed6b64591b60eba67

SHA1 hash:

c49e51e38c8e3988e9782dd717e1c5c45315c5f9

Link:

https://www.unpac.me/results/dffd2841-fdb9-4fb6-ac4f-bea1624b8201/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe 37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/83119/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample