MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d37c3617a157667f9e536996ce1f4e790060b8b8449f905bf9c1f5bcd09b7a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d37c3617a157667f9e536996ce1f4e790060b8b8449f905bf9c1f5bcd09b7a9
SHA3-384 hash: be612ec808c6ec6c39412f2fb397efec6b97e4b445b7486ff19b2577826a0878cbfe646239bc0e3dec03be9950a6e48b
SHA1 hash: 866be343a5dbf90ae26aa46fd6a372528182e3af
MD5 hash: 08156bf26f6f10ceb1d7525c483935e2
humanhash: summer-crazy-coffee-rugby
File name:08156bf26f6f10ceb1d7525c483935e2.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:188'928 bytes
First seen:2020-10-13 17:54:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:saIIGSZdl2hOtEPNgjGLMZ4//ZbGW8dh2SUpATb4gF7ZMtcyHTwgqa9P:saZGS7l2hOtElgqXZCsAT9/MeyHTwY
Threatray 385 similar samples on MalwareBazaar
TLSH 8504D829CD9A9837FD6DBBF6F4B40AEEAE3058053C12EE0F51470E864D2E7C1184B959
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70596/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.ch.10472.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/490200
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297555 Sample: 4e0i0kpaVi.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 76 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 .NET source code contains method to dynamically call methods (often used by packers) 2->45 47 3 other signatures 2->47 8 4e0i0kpaVi.exe 1 2->8         started        process3 file4 39 C:\Users\user\AppData\...\4e0i0kpaVi.exe.log, ASCII 8->39 dropped 49 Injects a PE file into a foreign processes 8->49 12 4e0i0kpaVi.exe 1 1 8->12         started        15 4e0i0kpaVi.exe 8->15         started        signatures5 process6 signatures7 51 Disables Windows Defender (via service or powershell) 12->51 17 powershell.exe 25 12->17         started        19 powershell.exe 20 12->19         started        21 powershell.exe 24 12->21         started        23 11 other processes 12->23 process8 process9 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        37 8 other processes 23->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d37c3617a157667f9e536996ce1f4e790060b8b8449f905bf9c1f5bcd09b7a9/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 16:38:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1643306adbe8c7e38ee965ab974c1d074afc671c0e5aa0c2b50a18cc67036a50
MassLogger
23bd17fba8c0cb660dada2c952431dc7e335bbdfb8e34078da941a29652526d5
MassLogger
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
MassLogger
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
MassLogger
79541840f37314c88b923c55cfa29bc952a514242edce7b9a54a937a6f5ed985
MassLogger
878e1a1b65cc05eb728bf4ce85b7ad87576bbc9c8465d1348c71cef4e8c098f2
MassLogger
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
MassLogger
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
MassLogger
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
MassLogger
e1422dbc6631aec397fe0dc7298ec6b52570720f2fb6c7605db0a72b48809df9
MassLogger
+ 375 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201013-5zkhfjb1qe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
3d37c3617a157667f9e536996ce1f4e790060b8b8449f905bf9c1f5bcd09b7a9
MD5 hash:
08156bf26f6f10ceb1d7525c483935e2
SHA1 hash:
866be343a5dbf90ae26aa46fd6a372528182e3af
Link:
https://www.unpac.me/results/a7093f7f-ae69-4e4d-81e3-8dbf7eace46e/
SH256 hash:
54a5a2b439f53cd2adc53af410b7ea9e19f924fecbde9d8b053e161fd5f7fd70
MD5 hash:
64c5bc9e1de39555efa6f78a2616bea9
SHA1 hash:
547c23fb5bc6d8e7e8af625204a6f01c71cf8e36
Link:
https://www.unpac.me/results/a7093f7f-ae69-4e4d-81e3-8dbf7eace46e/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/a7093f7f-ae69-4e4d-81e3-8dbf7eace46e/
SH256 hash:
048d6250aeb3f7f1db55401597c86f1586fb4f3eb81c36b35a515172ea0c1f5e
MD5 hash:
312fc53374d0bc0e84fc242ba2a72dd3
SHA1 hash:
d8c9a805e338e5e2f65dd5c45d21a3d1fc7547df
Link:
https://www.unpac.me/results/a7093f7f-ae69-4e4d-81e3-8dbf7eace46e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d37c3617a157667f9e536996ce1f4e790060b8b8449f905bf9c1f5bcd09b7a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 3d37c3617a157667f9e536996ce1f4e790060b8b8449f905bf9c1f5bcd09b7a9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/70596/
  
URLhaus
https://urlhaus.abuse.ch/url/447390/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/439791/
  
URLhaus
https://urlhaus.abuse.ch/url/686521/
  
URLhaus
https://urlhaus.abuse.ch/url/686535/

Comments