MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5
SHA3-384 hash: daca1821e7978981fba89b7feb4c949378fae3964822d41ff11cd7d70d4dd61cdff4eee8b49f44e060202abe6885622c
SHA1 hash: 4bb84adc5fa25b720776947e1d677a01e4e38fb5
MD5 hash: 7a2383c694b62f4e180ce68ca761407a
humanhash: jig-green-lamp-mango
File name:PAYMENT REMIT COPY 673578.pif.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:625'664 bytes
First seen:2020-11-30 14:24:38 UTC
Last seen:2020-11-30 15:58:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:jyxrn91M3inGNER+7kTaNYBSXjJPtrfLE4mw:uJ9ujJmSXjJPtr/B
Threatray 561 similar samples on MalwareBazaar
TLSH 35D402C3B6484574FE6B5BBAF96B089902331D3919F0956D399EB67B0AB3343041BD0B
Reporter James_inthe_box
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Masslogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106053/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.5985.23412.19102.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Gathering data
Result
Threat name:
MassLogger RAT MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550934
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324584 Sample: PAYMENT REMIT COPY 673578.pif.exe Startdate: 30/11/2020 Architecture: WINDOWS Score: 100 29 cdn.onenote.net 2->29 31 g.msn.com 2->31 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected MassLogger RAT 2->55 57 6 other signatures 2->57 7 PAYMENT REMIT COPY 673578.pif.exe 1 6 2->7         started        11 vlc.exe 2 2->11         started        13 vlc.exe 3 2->13         started        signatures3 process4 file5 25 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->25 dropped 27 C:\...\PAYMENT REMIT COPY 673578.pif.exe.log, ASCII 7->27 dropped 59 Injects a PE file into a foreign processes 7->59 15 PAYMENT REMIT COPY 673578.pif.exe 15 2 7->15         started        19 vlc.exe 2 11->19         started        21 vlc.exe 11->21         started        23 vlc.exe 14 2 13->23         started        signatures6 process7 dnsIp8 33 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.252.4, 49743, 80 AMAZON-AESUS United States 15->33 35 nagano-19599.herokussl.com 15->35 37 api.ipify.org 15->37 47 Tries to steal Mail credentials (via file access) 15->47 49 Tries to harvest and steal browser information (history, passwords, etc) 15->49 39 54.235.182.194, 49757, 80 AMAZON-AESUS United States 19->39 43 2 other IPs or domains 19->43 41 54.235.142.93, 49753, 80 AMAZON-AESUS United States 23->41 45 2 other IPs or domains 23->45 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-11-29 23:59:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=knud3ips4ipmhcksxppj7vhaimydgpf5uqmf2flc7gnlggxrp2sq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
047e9f8b825378da0ad294496cbed35ff024c2742993e6eb0d4a1bc94c6bdb02
MassLogger
08c7131cac4c6c62004d8b2e3ce0b85d1b35e7325f753a865206814cd87ecdf4
MassLogger
13f0c6e6a5c9f192c09a6e3a3768e8e31548b04a6839b28731862707c2689ac2
MassLogger
25f48722bf24e935d7bdca104b416f87424ced29dfec2fbebc817725f09af5f1
MassLogger
a920f6bd5e8cf8734daa7aa6b0a79b3edc9725c436f5b6bdec9a7490792c8298
MassLogger
d8aebda89bb5717256e78b44dd9e9ef54179d3590f7a6125da452e877c083c48
MassLogger
dd652810ff0fc0288768ac20d5fcc76f7bc517c3ed8b066a18340a8b69c69c3a
MassLogger
e1392a3d2fb4e8f4642bac6694948fc8ceeb970fc5acce7c04b4d97352122be8
MassLogger
e576e88eba32ee86d13bd2d490595abe936b78955d193d5523f0f5ad23c5ec9c
MassLogger
f8776b137f7c04fd40d7b3739011710eedbfe4472e013904300ca6ebc93a3c37
MassLogger
+ 551 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201130-kzdm7rysnj/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
2b34f980101fa9a891cffdfd99b9195af31690d6a4155f90c0f54b1e7e9094bc
MD5 hash:
8ccd64f3f79d1e9a2fddb3e04374bde2
SHA1 hash:
f2d88f5924781227ab863383fccdb99b89a02ae3
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/4af57f36-cebd-4f21-949b-771a99bd0814/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/4af57f36-cebd-4f21-949b-771a99bd0814/
SH256 hash:
e51d2ca6c3c9785015ffd72305a5d97b6828a58113d21b0a41d07cbd408bff6f
MD5 hash:
c51c41887eac02df65da1e0342508e90
SHA1 hash:
2b0f803378a4ad5e478837900ad87fbac00446cf
Link:
https://www.unpac.me/results/4af57f36-cebd-4f21-949b-771a99bd0814/
SH256 hash:
53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5
MD5 hash:
7a2383c694b62f4e180ce68ca761407a
SHA1 hash:
4bb84adc5fa25b720776947e1d677a01e4e38fb5
Link:
https://www.unpac.me/results/4af57f36-cebd-4f21-949b-771a99bd0814/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/106053/

Comments