MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c969bc65ce904a957ad469246cd3e3642c881fc128b5b389e1e3195acc16f20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c969bc65ce904a957ad469246cd3e3642c881fc128b5b389e1e3195acc16f20
SHA3-384 hash: 87dd58ea5df49ef4b2ef08caaf0ab64324f287267376d7d8bbacf0a06a6498c6fabd44c86e54f5d45bd16f4801817eea
SHA1 hash: a64d1fc6a43473ea22b0cc57f16df7a674d49576
MD5 hash: b4e4f40ba746f33a1d737edbf138073f
humanhash: violet-pasta-august-apart
File name:KL5dsA6lka4Hxsh.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'257'984 bytes
First seen:2020-08-06 13:30:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:pIYxPeVZlTwI25aF9NIzwkWGrCAjnixWf3lF9QwV:pIPVjTwIeaFLIzNrnn6Wf3lF9QwV
Threatray 713 similar samples on MalwareBazaar
TLSH CB45E0C2E5409E50DC290A3F4D3389924B33AC6BEF065606349CFA556BF359A6E35F83
Reporter James_inthe_box
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41213/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.53037.30880.29511.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/414004
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 259416 Sample: KL5dsA6lka4Hxsh.exe Startdate: 07/08/2020 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Sigma detected: Scheduled temp file as task from temp location 2->39 41 Yara detected MassLogger RAT 2->41 43 7 other signatures 2->43 7 KL5dsA6lka4Hxsh.exe 5 2->7         started        process3 file4 23 C:\Users\user\AppData\...\&startupname&.exe, PE32 7->23 dropped 25 C:\...\&startupname&.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp1DCE.tmp, XML 7->27 dropped 29 C:\Users\user\...\KL5dsA6lka4Hxsh.exe.log, ASCII 7->29 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->45 47 Injects a PE file into a foreign processes 7->47 11 KL5dsA6lka4Hxsh.exe 15 6 7->11         started        15 schtasks.exe 1 7->15         started        17 KL5dsA6lka4Hxsh.exe 7->17         started        19 KL5dsA6lka4Hxsh.exe 7->19         started        signatures5 process6 dnsIp7 31 mail.privateemail.com 198.54.122.60, 49712, 587 NAMECHEAP-NETUS United States 11->31 33 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.66.103, 49711, 80 AMAZON-AESUS United States 11->33 35 3 other IPs or domains 11->35 49 Tries to steal Mail credentials (via file access) 11->49 21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c969bc65ce904a957ad469246cd3e3642c881fc128b5b389e1e3195acc16f20/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 04:04:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsljxrs45ecksv5ni2jentj6gzbmrap4ckfvwoe6dyyzllgbn4qa._file
Verdict:
unknown
Similar samples:
20be971374f0ffd1224aafed410fdb30e3340788a7dd80747dd18f3ef0f8168d
MassLogger
2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043
MassLogger
4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea
MassLogger
8f8324aa2244c6ecc4369ef6e5ea25b405ecf48aef96e34cc04c56f6ad240ade
MassLogger
9b8c523e9a551600cec0e653e4c8085dcf1b4a7e77559a903e64e7f1aa659223
MassLogger
a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7
MassLogger
a990373e6225384bd1bab3441dc0cb881f1e03f51f83f7923ca6c9ff228bee5c
MassLogger
aa30ea6f5603484a2f71a0fa1429cef880ee018c6b3557ad09708dca055cbb22
MassLogger
b99de03440f57a55e0c9a269df9d79ff2214eb859361d217f76fa86579fd82df
MassLogger
dc05645067f3f3ccf6a4e647dcf935c928fd981ef904672603a7ab409488166e
MassLogger
+ 703 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200806-ajbjqz83sj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c969bc65ce904a957ad469246cd3e3642c881fc128b5b389e1e3195acc16f20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/41213/
  
URLhaus
https://urlhaus.abuse.ch/url/426044/

Comments