MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b21973994a4c674d4dd888226ffdfc50704bf10bdf6503c6c4a1c31ad95bfa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b21973994a4c674d4dd888226ffdfc50704bf10bdf6503c6c4a1c31ad95bfa2
SHA3-384 hash: e1a00d4174f064807917556dc2f5e127451d4376a38ad3eac1a069cabb7f927ad1b4ebd402e4252b75a7083ab8fdea6a
SHA1 hash: 13b3e65876c238ed6257590116c7817ce1b40260
MD5 hash: 4efddcb5dc1617bd8a38451657291b42
humanhash: fish-saturn-minnesota-cup
File name:svch.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'094'144 bytes
First seen:2021-05-11 13:02:32 UTC
Last seen:2021-05-11 13:53:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:foLA+2/nen/lDwXBPRQ2rbcOnUo9OLd+NxMaPeQ/4qKx:CcnenSXhCy7Uo9OLQ4a/4H
Threatray 629 similar samples on MalwareBazaar
TLSH 1B35BEFC755464FDD34B5C23A7CF0C0682252274AA3B690B8B2113BA5A5BE173F399C9
Reporter James_inthe_box
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
MassLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/155100/
Detection(s):
SecuriteInfo.com.Malware.AI.3818671168.23799.5815.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DHCP request
Sending a UDP request
Launching a process
Creating a window
Launching a service
Modifying a system file
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Deleting of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778636
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411047 Sample: svch.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 6 other signatures 2->48 8 svch.exe 6 2->8         started        process3 file4 30 C:\Users\user\AppData\...\JdWvNPHjWsh.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\...\tmp2A47.tmp, XML 8->32 dropped 34 C:\Users\user\AppData\Local\...\svch.exe.log, ASCII 8->34 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->50 52 May check the online IP address of the machine 8->52 54 Uses schtasks.exe or at.exe to add and modify task schedules 8->54 56 2 other signatures 8->56 12 svch.exe 15 2 8->12         started        16 schtasks.exe 1 8->16         started        18 svch.exe 8->18         started        signatures5 process6 dnsIp7 36 porathacorp.com 103.6.196.138, 49758, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 12->36 38 mail.porathacorp.com 12->38 40 3 other IPs or domains 12->40 58 Tries to steal Mail credentials (via file access) 12->58 60 Tries to harvest and steal browser information (history, passwords, etc) 12->60 62 Adds a directory exclusion to Windows Defender 12->62 20 powershell.exe 26 12->20         started        22 powershell.exe 14 12->22         started        24 conhost.exe 16->24         started        signatures8 process9 process10 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b21973994a4c674d4dd888226ffdfc50704bf10bdf6503c6c4a1c31ad95bfa2/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 09:41:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 29 (72.41%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmqzoomuutdhjvg5rcbcn767yudqjpyqxx3fapdmjioddlmvx6ra._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2d72381a89f07ac880d001d5cec532b9900db1030fc269687752863174fab88f
MassLogger
5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc
MassLogger
6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95
MassLogger
78a59829f0dd9b3ec88a68096284de67dd8806d3690d11f017f7b2893a98354d
MassLogger
7b76df7f72bbd45fc3716b6382b1c6de7421ac7bcfc213221c0b04675fd50e68
MassLogger
b4c677c568152f925904f613d1361015ea9a07d105874411dc7962f57ebd7412
MassLogger
cc8e79ce79d0078b6483062f8fc8d187f5fdcf92c9f51db25551a19d22af0a87
MassLogger
e39ed8bfee05ab6d964885748f4800bf955b47b59002213e34e5b9d331882b98
MassLogger
e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1
MassLogger
f83ad58372165b89222b164f3da6a0b4edad02409d13df77e713ad860a6489e4
MassLogger
+ 619 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/210511-c6743csx86/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
MassLogger
MassLogger Main Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b21973994a4c674d4dd888226ffdfc50704bf10bdf6503c6c4a1c31ad95bfa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/155100/
  
URLhaus
https://urlhaus.abuse.ch/url/1220930/

Comments