MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9
SHA3-384 hash: 6df3b750abf93037230cceac988e6f13974e6f61d1e8a064d8d086705f14e4b7a100bb656164567934209f862f961780
SHA1 hash: 4ea5419ef5642a3a1668a32f354a6d928b319226
MD5 hash: 360c6dadd9c386a6ebeeb905f6cc59eb
humanhash: oxygen-iowa-helium-orange
File name:Account 1.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:278'016 bytes
First seen:2021-02-01 14:58:18 UTC
Last seen:2021-02-09 15:35:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:JijbTKI5/DX85JopCVtraWgvHY3ZEb+kjOOLBVCYUoXB1Nb3K:JOeI5/DM5JjjraWgvHY3ZEb+kjHLBVCA
Threatray 729 similar samples on MalwareBazaar
TLSH E544AEBC9BF8DF72C97E073DC560291427B4A842A847D71F15E492DE2E637C04A12AA7
Reporter GovCERT_CH
Tags:MassLogger

Intelligence

File Origin
# of uploads :
13
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Account 1.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 15:00:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92cecac0-ffe3-472c-acd5-ef0e60ce3928

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114973/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595494
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Yara detected MultiObfuscated
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346787 Sample: Account 1.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 64 smtp.yandex.ru 2->64 66 smtp.yandex.com 2->66 68 3 other IPs or domains 2->68 78 Multi AV Scanner detection for domain / URL 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 12 other signatures 2->84 8 Account 1.exe 3 2->8         started        12 Account 1.exe 2->12         started        14 Account 1.exe 2 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 60 C:\Users\user\AppData\...\Account 1.exe.log, ASCII 8->60 dropped 98 Injects a PE file into a foreign processes 8->98 18 Account 1.exe 18 4 8->18         started        23 powershell.exe 15 8->23         started        25 Account 1.exe 12->25         started        27 powershell.exe 12->27         started        29 Account 1.exe 14->29         started        31 powershell.exe 14->31         started        35 3 other processes 14->35 33 powershell.exe 16->33         started        37 2 other processes 16->37 signatures6 process7 dnsIp8 70 193.239.147.103, 49722, 49732, 49734 DEDIPATH-LLCUS Brunei Darussalam 18->70 52 C:\Users\user\AppData\...\Account 1.exe, PE32 18->52 dropped 54 C:\Users\...\Account 1.exe:Zone.Identifier, ASCII 18->54 dropped 86 Creates an undocumented autostart registry key 18->86 39 Account 1.exe 5 18->39         started        56 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 23->56 dropped 58 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 23->58 dropped 88 Drops PE files to the startup folder 23->88 90 Powershell drops PE file 23->90 44 conhost.exe 23->44         started        92 Creates autostart registry keys with suspicious names 25->92 94 Creates multiple autostart registry keys 25->94 96 Injects a PE file into a foreign processes 25->96 46 conhost.exe 27->46         started        48 conhost.exe 31->48         started        50 conhost.exe 33->50         started        file9 signatures10 process11 dnsIp12 72 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.76.253, 49730, 49742, 80 AMAZON-AESUS United States 39->72 74 192.168.2.1 unknown unknown 39->74 76 2 other IPs or domains 39->76 62 C:\Users\user\AppData\Local\Temp\...\Log.txt, ASCII 39->62 dropped 100 Tries to steal Mail credentials (via file access) 39->100 102 Tries to harvest and steal browser information (history, passwords, etc) 39->102 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-30 06:39:17 UTC
AV detection:
28 of 46 (60.87%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijq3z4jzl7gw7u57ukgvij6yr2sd4gdmksl5rkmndfnfthors7uq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
100b0b79aaaf948df42bb2b46ad0a6e57c67e2b2a7d91d16c225c24c77f70d2a
MassLogger
239fca3f5df496aab1b7c7696aaa26d77174501abc9cb1c1e12a188584d745cc
MassLogger
3027dc21e325fddbc9e6cd21b0491f3270190f219776de4971e510c4490d3c25
MassLogger
4fd457b5e2ff2430dbce5692ba6c47253ade9e105ffb192d01aee29d6ba7c912
MassLogger
65b904f1a835b7b95e8644177287c03b1eae3a75432dd397347c7416be0ce253
MassLogger
97b6fd22538c6144dbc4c3bee45e74a570a853746d2052c0a14265e6991ec88e
MassLogger
d9b75b8d542d8278b8748169b3250cdf07604dc91e9d5c5a5686727d9f58afb7
MassLogger
df049efbfa7ac0b76c8daff5d792c550c7a7a24f6e9e887d01a01013c9caa763
MassLogger
fcbe71082a3592c66d1c16e331ee3af753087b46c63a118cab63cc5869e65b9a
MassLogger
fcfc827205cd38cdf997f72b1d58eba51ac12da6ba5939279b626522b11fd938
MassLogger
+ 719 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence ransomware spyware stealer
Link:
https://tria.ge/reports/210201-gjp8za3p2n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Beds Protector Packer
MassLogger
MassLogger Main Payload
MassLogger log file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/53a8d9a6-7169-49c3-bebf-f6af99ac9302/
SH256 hash:
bec8fd3241ccb74e895df74f8ff8947f66e0e30484f6b748d35ad527b90f0641
MD5 hash:
84948cdfc69c5d1e60ba0531a88c3972
SHA1 hash:
94830e5fefa2ee59716eeee76b746677d42a5905
Link:
https://www.unpac.me/results/53a8d9a6-7169-49c3-bebf-f6af99ac9302/
SH256 hash:
efb1aae64c813cba7ac45281d378aee0a8e3d7d0e5ba13a795e9a27650981b1c
MD5 hash:
ab8161c0a9960910129eb17bf27826f2
SHA1 hash:
61649eecd7bd53709a4d262dc26bc9bfe2be2860
Link:
https://www.unpac.me/results/53a8d9a6-7169-49c3-bebf-f6af99ac9302/
SH256 hash:
4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9
MD5 hash:
360c6dadd9c386a6ebeeb905f6cc59eb
SHA1 hash:
4ea5419ef5642a3a1668a32f354a6d928b319226
Link:
https://www.unpac.me/results/53a8d9a6-7169-49c3-bebf-f6af99ac9302/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 4d3a7009eef3966809949b166644b47811fee4104669c6801f25c497fc786651

MassLogger

Executable exe 4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9

(this sample)

  
Dropped by
MD5 7eb73a2a97f82be764a515e7c01a97a6
  
Dropped by
SHA256 4d3a7009eef3966809949b166644b47811fee4104669c6801f25c497fc786651
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/114973/

Comments