MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e5cd58bde50562e6f982fccbca8441178d936189be102809c3ec3ca62cc7cbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e5cd58bde50562e6f982fccbca8441178d936189be102809c3ec3ca62cc7cbd
SHA3-384 hash: f4e7f05ec444c2fecdc8aa1ecf521a8f303ecaf8358ebbfc0c09cb1e812c5018ac592a4cc790073d487a1a257dc0036e
SHA1 hash: 02404d18c3d590abfedae02ecd17f14335dce2d3
MD5 hash: 51ee25f8c0cdcb0ecf0f25f9fbafbd28
humanhash: robert-golf-lemon-shade
File name:51ee25f8c0cdcb0ecf0f25f9fbafbd28
Download: download sample
Signature MassLogger
Create hunting rule
File size:33'563'648 bytes
First seen:2022-06-14 05:42:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 786432:F3HQ7H8ZguDLBVwZH5iVrGtrDMEMtxaA99kGat:IH8Z/DLBgH5ihGxonx/d
Threatray 4'769 similar samples on MalwareBazaar
TLSH T1DD77336DA5C81326D44C8A7253688CE1349768395DEEA1FD693877B8F4FB28C5C83B07
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0ccaaaa4b4a40cac (5 x LummaStealer, 2 x AgentTesla, 1 x SnakeKeylogger)
Reporter zbetcheckin
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51ee25f8c0cdcb0ecf0f25f9fbafbd28
Verdict:
No threats detected
Analysis date:
2022-06-14 05:45:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67e01d78-164c-4109-ab16-6da59b029557

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
certreq.exe packed
Link:
https://www.filescan.io/uploads/62a8202696efd87b05f7755c/reports/7df4f42c-f6a7-437e-9e43-7ce1eef6a4f0/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1012570
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 645066 Sample: LX4j6n9GYw Startdate: 14/06/2022 Architecture: WINDOWS Score: 100 33 233.75.3.0.in-addr.arpa 2->33 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 8 LX4j6n9GYw.exe 14 7 2->8         started        signatures3 process4 dnsIp5 35 ftuappz.com 15.204.130.182, 49818, 80 HP-INTERNET-ASUS United States 8->35 27 C:\Users\user\AppData\Roaming\...\certreq.exe, PE32+ 8->27 dropped 29 C:\Users\user\...\certreq.exe:Zone.Identifier, ASCII 8->29 dropped 31 C:\Users\user\AppData\...\LX4j6n9GYw.exe.log, ASCII 8->31 dropped 51 Creates an undocumented autostart registry key 8->51 53 Writes to foreign memory regions 8->53 55 Modifies the context of a thread in another process (thread injection) 8->55 57 Injects a PE file into a foreign processes 8->57 13 MSBuild.exe 2 8->13         started        17 cmd.exe 1 8->17         started        19 powershell.exe 17 8->19         started        file6 signatures7 process8 dnsIp9 37 185.140.53.195, 49941, 49942, 49943 DAVID_CRAIGGG Sweden 13->37 39 185.140.53.20, 49941, 49942, 49943 DAVID_CRAIGGG Sweden 13->39 41 233.75.3.0.in-addr.arpa 13->41 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->61 21 conhost.exe 17->21         started        23 timeout.exe 1 17->23         started        25 conhost.exe 19->25         started        signatures10 process11
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Mamut
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 04:48:09 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
10 of 39 (25.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzonlc66kblc434yf7glzkcecf4nsnqytpqqfae4h3b4uywmps6q._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0b1c3985cfe6fd26489cc745f60cf63e6bea52b410c099e3434befa2c6568b19
MassLogger
0d36da3b7cb3f21997103e31ad4deb2a6114529b53839503b4a4480019f253ba
MassLogger
4ef5d37b29ba34c3c1a1d3dc36106c29aa043ba5869fadeb6ee52df7d13f8079
MassLogger
c299f699ca06f4eec5c21dcb915ab7c49f35ddb54362c29c6de9f5ff51ebfb2c
MassLogger
c78ef90c99097acb04847fe5b99a5ad110e2d8dff9ec7c4caf37e3411a063c2a
MassLogger
ca4b7842266223b9ad97b8bd313e12b9e5291db33eb8ffbcecadc1f2b328780a
MassLogger
+ 4'759 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection
Link:
https://tria.ge/reports/220614-gelmfacbdq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e5cd58bde50562e6f982fccbca8441178d936189be102809c3ec3ca62cc7cbd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 4e5cd58bde50562e6f982fccbca8441178d936189be102809c3ec3ca62cc7cbd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2237324/

Comments


Avatar
zbet commented on 2022-06-14 05:42:11 UTC

url : hxxp://file.runespectrals.com/1/ucsvc.exe