MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9
SHA3-384 hash: a3adb71eccfe5881caa335b39df8aed5b313c52a1ef74c5ff586ca39a972ce7b9eba5cbe76473e919743bc74ae137ea6
SHA1 hash: eb231cec15fd73eb18e4dffc124475589083b59f
MD5 hash: ff7a09ab13940871ecf1cf32ec38c24a
humanhash: oklahoma-florida-angel-nitrogen
File name:UYTUINVO-0980M.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:778'791 bytes
First seen:2021-03-04 23:54:39 UTC
Last seen:2021-03-10 01:23:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:/8ek6zxZ7vkBtE1lDB5bblAGyWWrNJkqF9KQ4Lr/cj7uytQ17si8aE48LMJ52:/8MxBuEzDBdRAmWvkqF9KQyraa74aiYm
Threatray 635 similar samples on MalwareBazaar
TLSH 7EF423D1F5A68BB6F03767B41F36CB64FB37ED05925036862B487A1A06F31434AC784A
Reporter GovCERT_CH
Tags:MassLogger

Intelligence

File Origin
# of uploads :
9
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UYTUINVO-0980M.exe
Verdict:
Malicious activity
Analysis date:
2021-03-04 23:58:12 UTC
Tags:
evasion trojan stealer masslogger
Link:
https://app.any.run/tasks/f9cd2884-1d8f-44f6-872c-91d2319c3814

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122374/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/629324
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 15:50:04 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdxf374sbjgxexktkzlbymnv3sdgg77rpo3fh4gtttbuqxhjaxuq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
29285c1e0f58e12ace807098090275535b37d6faf0379372b4ae41299cca5c3f
MassLogger
4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9
MassLogger
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
MassLogger
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
MassLogger
a84ff17c2a70d4953ce67e44cf6a3160feaf4a13d3bdad4aefe94810ef124c44
MassLogger
ae1101f81ed495b405d0f80d678da0a6eff8e2f9c432734302ffb764b215de0a
MassLogger
bbc467be402fa10957b329f79484dd0dfbf30ca52ed4275f0fa2085807786f5a
MassLogger
c102f6eeb3bc1106d4201200ca09a72f9b044448d1087db2568078489962563a
MassLogger
d25dcb3b16529c18136847b6e4b1ce35f63f29d28722a8030fb47eaaf11f5363
MassLogger
fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d
MassLogger
+ 625 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger ransomware spyware stealer
Link:
https://tria.ge/reports/210304-83qg85flhx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
MassLogger
MassLogger Main Payload
MassLogger log file
Unpacked files
SH256 hash:
a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1
MD5 hash:
7c359500407dd393a276010ab778d5af
SHA1 hash:
4d63d669b73acaca3fc62ec263589acaaea91c0b
Link:
https://www.unpac.me/results/b29de309-6974-44b8-85cb-69d22ca744a3/
SH256 hash:
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
MD5 hash:
daec8d2a480411ff1f82b24af4ac7cdf
SHA1 hash:
c61b695772de84df8508b9a740437db3a6da417d
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/b29de309-6974-44b8-85cb-69d22ca744a3/
Parent samples :
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12
d25dcb3b16529c18136847b6e4b1ce35f63f29d28722a8030fb47eaaf11f5363
fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d
c102f6eeb3bc1106d4201200ca09a72f9b044448d1087db2568078489962563a
48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9
SH256 hash:
843bc31dd295c5b405620f33186bcfc783629e3b39492fe6f31c18e9d4124737
MD5 hash:
7832ca79a498057fc330dcdd7060176b
SHA1 hash:
1697da21e98b177e3d20b658f5102043baf7423b
Link:
https://www.unpac.me/results/b29de309-6974-44b8-85cb-69d22ca744a3/
SH256 hash:
6760bfe341639b55fd35484e828bb0235afa6157a454829a38c4d629ac4fbf74
MD5 hash:
5f531e09976343d3f6df6602d34ba95a
SHA1 hash:
63443e206b65456b8e41c83437abbded6e80e72b
Link:
https://www.unpac.me/results/b29de309-6974-44b8-85cb-69d22ca744a3/
SH256 hash:
48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9
MD5 hash:
ff7a09ab13940871ecf1cf32ec38c24a
SHA1 hash:
eb231cec15fd73eb18e4dffc124475589083b59f
Link:
https://www.unpac.me/results/b29de309-6974-44b8-85cb-69d22ca744a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.57
Link:
https://yomi.yoroi.company/submissions/48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip b6f6082787133fe6e91ce708238bd92f50a35625f94233b86a5c8e4d7e28af83

MassLogger

Executable exe 48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9

(this sample)

  
Dropped by
MD5 5db540f434c304b0c8b3925f4f0f9ec4
  
Dropped by
SHA256 b6f6082787133fe6e91ce708238bd92f50a35625f94233b86a5c8e4d7e28af83
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122374/

Comments