MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf
SHA3-384 hash: 2af1320e3a78b336cfae801d6c585b49687acf34aea8bece6401148fc2038d6c837dc18dbee1744a18614abd0c5e94e3
SHA1 hash: 6ed39e96bf1e08b6aa1768aa4565aec77137a811
MD5 hash: 0b337a80a190e332745cd9d3a22db61d
humanhash: wyoming-victor-jersey-island
File name:Bank_Details.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:684'032 bytes
First seen:2020-10-12 06:22:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:2u2jXlk6Z27FlwnVbrlgXMB7e21SD0NOkldOFrjtE5F41PNs1sj/BzcyycNzi:2rfjaqSD00kMFEcdB4yyyz
Threatray 356 similar samples on MalwareBazaar
TLSH BEE46A3AADD90933D6769672E9E61193EB127A833603DD0F228703450D4376BBCCAE5D
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: saintservices.us
Sending IP: 188.225.11.245
From: Sales Manager <sales@saintservices.us>
Subject: Nov Order / Bank Details
Attachment: Bank_Details.rar (contains "Bank_Details.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Launching a process
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488053
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 03:20:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjqq3c3logm4zjofxnbd5xdf6mlork4wa52ku42ijeejtqjfxsxq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e
MassLogger
01ed663f821885ce5aecbbfed7ca419743a682a81e535ec89237a88dc1d0c69e
MassLogger
0393a3472d5f00efa4ab91bc086a1908741e10b84925190ff00cb948391a28a8
MassLogger
047e9f8b825378da0ad294496cbed35ff024c2742993e6eb0d4a1bc94c6bdb02
MassLogger
21ada34a203f6a238393d69d9c0aebc680f65e9eb0a9bc472f558709e85c88ee
MassLogger
703698c23e6a2e0a7fa23c5868bb97bccdca0389b47b0ea33a013a959a4a83e6
MassLogger
a920f6bd5e8cf8734daa7aa6b0a79b3edc9725c436f5b6bdec9a7490792c8298
MassLogger
dd5b3d947daecc91aa36e124a5bdcb1cb6b10fdb2d905a9a1e067bd6bdb4065b
MassLogger
dd652810ff0fc0288768ac20d5fcc76f7bc517c3ed8b066a18340a8b69c69c3a
MassLogger
f5d3f20a5e7fc84496267536833b84b4dce1c5cc168014215f396490c1430857
MassLogger
+ 346 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201012-bqe2316sh2/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf
MD5 hash:
0b337a80a190e332745cd9d3a22db61d
SHA1 hash:
6ed39e96bf1e08b6aa1768aa4565aec77137a811
Link:
https://www.unpac.me/results/4f8c05ec-31ce-45d5-a0d0-4cc55c483b58/
SH256 hash:
16ab31f08e741d29dd59895d89de54996108fa55d4be3da50880265bab045429
MD5 hash:
23f6deab6d4ee07076409d2b286f712a
SHA1 hash:
8dbcbc80fe65bd984d176f23b447c2d1ba97edd2
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/4f8c05ec-31ce-45d5-a0d0-4cc55c483b58/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/4f8c05ec-31ce-45d5-a0d0-4cc55c483b58/
SH256 hash:
7975c86ae0a780a25d308dfaa2cdc31b4e2047bfb030711692200a8d35b3f6aa
MD5 hash:
fc30388f73df5bf87163d08be89a37e3
SHA1 hash:
7321bb2a65a054316a49e703c1c51db75b113f7f
Link:
https://www.unpac.me/results/4f8c05ec-31ce-45d5-a0d0-4cc55c483b58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 8164214bb06a1f001243d97feccbf254997e01f3f443595cfd729e9571a488e4

MassLogger

Executable exe 52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf

(this sample)

  
Dropped by
MD5 122b694f6c1371f235b5950b1283d0ba
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69970/
  
Dropped by
SHA256 8164214bb06a1f001243d97feccbf254997e01f3f443595cfd729e9571a488e4

Comments