MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4afbf197b53084d8d3d79ffe791e17b5d4dcddec2b77a531cf33ffd54f3f64d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	4afbf197b53084d8d3d79ffe791e17b5d4dcddec2b77a531cf33ffd54f3f64d0
SHA3-384 hash:	699f9f4d10e25b37ebec4ba010b856035928706de17c4f06f8ab0d7521bca9e7c5386fffe487d87f7984910dea00f7ea
SHA1 hash:	652b04ef1f33bbcd52a53333d85335b41714aea9
MD5 hash:	7e1b971b69b45cbaba7e76cbc155a173
humanhash:	autumn-nuts-washington-batman
File name:	WANG 05082020.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	912'896 bytes
First seen:	2020-08-05 08:26:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:TBkWpD0CRV6jzrSIB2JRPR5OZUhPoM4yS+ohZp:TtD0CRVgzrSIBkxOZMoNy0H
Threatray	691 similar samples on MalwareBazaar
TLSH	6A15E08C76555A89F421CEFB1C3100438EA2F89B9566F6871870156E8F7E488FC6FEC9
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

From: Martin Schraven <mschravenriemer@yahoo.de>
Subject: : Fwd: Wire Transfer Payment
Attachment: WANG 05082020.rar (contains "WANG 05082020.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39202/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/410561

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4afbf197b53084d8d3d79ffe791e17b5d4dcddec2b77a531cf33ffd54f3f64d0/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-05 03:53:53 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jl57df5vgccnru6xt77hshqxwxknzxpmfn32kmopgp75ktz7mtia._file

Verdict:

unknown

MassLogger

4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea

MassLogger

8f8324aa2244c6ecc4369ef6e5ea25b405ecf48aef96e34cc04c56f6ad240ade

MassLogger

96af26169543b638599cd1c9e7b236572c5cdab29c844d7e824b30f0a2cbab16

MassLogger

a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7

MassLogger

acef143204e66bd0ef761c302176d61d547b9bfd78960c7607a9863bdafaae19

MassLogger

bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f

MassLogger

ebcea3b90af00f67983ebb15abec7e46a480818904a74764aab402da08d7b16b

MassLogger

f38bf49d1b80576d1df0cea02b590d52b16dfd03acfa6f9776fb010bd88ec38d

MassLogger

f9780f06f0da7544e13584ce58e03ccb796326b01dc2d05f5f5917aa461710be

MassLogger

+ 681 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200805-ymxxlfzd2s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4afbf197b53084d8d3d79ffe791e17b5d4dcddec2b77a531cf33ffd54f3f64d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.