MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12
SHA3-384 hash: a2c7d4a14473fec439765ffd42c6e1937c34dc50dab045ffc0cc18e88a1188c7dcdf8ef9ff9391e6b79274714f370885
SHA1 hash: 9aa7b3c9572b880ccb59840bb26728d330d3941e
MD5 hash: 7bd2be4065c72d78b7e8866dff1a35ba
humanhash: xray-november-august-hotel
File name:000000000090000000.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'501'628 bytes
First seen:2021-01-29 10:35:08 UTC
Last seen:2021-02-09 15:50:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 24576:HCYQvVbAl7DEkwp1v4bCOcw5UxbQ6xZcea6gMNPenZT62igkVUAoXWFgwWk:it2I1vECOcw5BeqeaumBif2rwyk
Threatray 644 similar samples on MalwareBazaar
TLSH A065BFD1F15088DAED6B09F27D2BA53024D7AE9C94A4410C56ADBB1B76F3342309FE1E
Reporter GovCERT_CH
Tags:MassLogger

Intelligence

File Origin
# of uploads :
18
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
000000000090000000.exe
Verdict:
Malicious activity
Analysis date:
2021-01-29 10:36:49 UTC
Tags:
autoit evasion trojan stealer masslogger
Link:
https://app.any.run/tasks/f05ed04a-276e-487b-b777-c031cdac2e8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114726/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Sending a UDP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/593863
Signature
Found malware configuration
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 345971 Sample: 000000000090000000.exe Startdate: 29/01/2021 Architecture: WINDOWS Score: 96 56 Found malware configuration 2->56 58 Yara detected MassLogger RAT 2->58 60 Sigma detected: MSBuild connects to smtp port 2->60 62 3 other signatures 2->62 7 000000000090000000.exe 12 2->7         started        10 file.exe 2->10         started        13 file.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\tyedzc.exe, PE32 7->28 dropped 15 tyedzc.exe 1 4 7->15         started        70 Writes to foreign memory regions 10->70 72 Maps a DLL or memory area into another process 10->72 19 MSBuild.exe 4 10->19         started        22 MSBuild.exe 4 13->22         started        signatures5 process6 dnsIp7 30 C:\Users\user\AppData\Roaming\...\file.exe, PE32 15->30 dropped 52 Writes to foreign memory regions 15->52 54 Maps a DLL or memory area into another process 15->54 24 MSBuild.exe 15 5 15->24         started        34 nagano-19599.herokussl.com 19->34 36 elb097307-934924932.us-east-1.elb.amazonaws.com 19->36 38 api.ipify.org 19->38 40 54.235.147.252, 49722, 80 AMAZON-AESUS United States 22->40 42 nagano-19599.herokussl.com 22->42 44 2 other IPs or domains 22->44 32 C:\Users\user\AppData\Local\Temp\...\Log.txt, ASCII 22->32 dropped file8 signatures9 process10 dnsIp11 46 smtp.yandex.ru 77.88.21.158, 49736, 587 YANDEXRU Russian Federation 24->46 48 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.252.4, 49717, 49721, 80 AMAZON-AESUS United States 24->48 50 3 other IPs or domains 24->50 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->64 66 Tries to steal Mail credentials (via file access) 24->66 68 Tries to harvest and steal browser information (history, passwords, etc) 24->68 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-29 10:36:14 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hr4inrjbjk6cxpczpuvp4hzi4rb4oxh2py3ix3eudinxrphx5mja._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
29285c1e0f58e12ace807098090275535b37d6faf0379372b4ae41299cca5c3f
MassLogger
2a5bce88201c08a0bda97ea99db198b3a278b4f42c4ff7d0defb82b38b93d180
MassLogger
2f4fc1a5a5dccb324dcfac0022a391260fec5b2f2620b52d884f2b853a9a4471
MassLogger
36bb4745d0a342a57dbd7c668aed07e956ff166df4864e21b0770e790f734acc
MassLogger
3ab0c6de3d72133e9f3cf89b5d6c6bf7feebeaa273a3492aa051d1cc2fde6a33
MassLogger
66d01b6b49a09223921380d6359a4010a7e701dd620410200c61e34ff59a7aaf
MassLogger
6c6c4041482944d1b1990286dd40957b91316c51cf38091a4768cee84811f3ec
MassLogger
73d7814c16c97737ef3c337788edbed7d6523a6ace4d429289e9b9b55a6bd072
MassLogger
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
MassLogger
f74318d49a5910f77a11bf60335a1a00fabf658fa498a8c03ed7d28d5749ed5a
MassLogger
+ 634 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210129-82y62q9nqa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
MassLogger
MassLogger Main Payload
MassLogger log file
Unpacked files
SH256 hash:
9cdecc703bbc421f86e114ee279f8efccec082897118b41b8d93aed913f91fda
MD5 hash:
e77f0687a2ce926ad8fcc4013169dd38
SHA1 hash:
ae10b423cecc95fdb68af9fde181ed79567d8f07
Link:
https://www.unpac.me/results/e7414c74-680e-4581-9f2e-ec5b38cfcc77/
SH256 hash:
e439f02b72a882498d512689f380e1323c4d8342578fe8608e81061cf4a8aee1
MD5 hash:
3d90ab79b9719aded136b7cd437ebb21
SHA1 hash:
dbec6e868a293cb0bd58d35191b1423ab8942384
Link:
https://www.unpac.me/results/e7414c74-680e-4581-9f2e-ec5b38cfcc77/
Parent samples :
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4
cc7cb2ebb12103aea621ec7962819aced4680b4322bc213a9257b36c8f2dab3e
cfa0a176bad0046bd498a5a7f5140ca92734b096c541a54acd1b002f228ec47c
22f34cc0b56ea1709b3af15b41b43fc40fca2b77debb8400108d3f517ee2ed4a
607e8a91c76f444784c2cbc1090cf8724d882d9861641a1f6e0de6b2b9401859
2de4a8c16d3643a3c58c63f4e7df2836919316635c05718dac1e474b6eb7fe29
ec61895ef8af01ff00970e46f7ba98c24bf9079d71e09d3c18576f1a9efc93c2
c1955052a26634f3571423dc64d3fd10c55fdb27f29eb3afd292787693ffcf91
4d4f7a1cb34d5309e1c82e7110209c974a08b3e82eaaf7799d7d9a3a176132ca
48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939
08ec22dd1d931a9d4194d5e46bc42914e62227c11e9fedce2175fe6a53eb4f92
6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8
7e18e5fe9e980c48ad67cc2ce7423e818e15c1256e2ffe4ce85c5cfbd5b30877
5dbc3e721cd340dd80bfa7d0127d920f5f2630aa4b3b3ecfb8d2af9f28f0e208
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe
b69687c4b9aa0c1599840ea90562d3833367e8095addfc725fc2b52fad6ee565
SH256 hash:
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
MD5 hash:
daec8d2a480411ff1f82b24af4ac7cdf
SHA1 hash:
c61b695772de84df8508b9a740437db3a6da417d
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/e7414c74-680e-4581-9f2e-ec5b38cfcc77/
Parent samples :
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12
d25dcb3b16529c18136847b6e4b1ce35f63f29d28722a8030fb47eaaf11f5363
fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d
c102f6eeb3bc1106d4201200ca09a72f9b044448d1087db2568078489962563a
48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9
SH256 hash:
3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12
MD5 hash:
7bd2be4065c72d78b7e8866dff1a35ba
SHA1 hash:
9aa7b3c9572b880ccb59840bb26728d330d3941e
Link:
https://www.unpac.me/results/e7414c74-680e-4581-9f2e-ec5b38cfcc77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 8b6b62c8f7cbf9afac73bc7281c8a35a41c323408ce12d034eca6de03b368324

MassLogger

Executable exe 3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12

(this sample)

  
Dropped by
MD5 21ef047d7e8e7e456288f61c367a293e
  
Dropped by
SHA256 8b6b62c8f7cbf9afac73bc7281c8a35a41c323408ce12d034eca6de03b368324
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/114726/

Comments