MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5580e34f50f932f27c42e1d2b8551aaed212321a4a519442ee38dadb61ecd7f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5580e34f50f932f27c42e1d2b8551aaed212321a4a519442ee38dadb61ecd7f9
SHA3-384 hash: d5ed0512ed5aa3e2d4462511e50271155692cd7000c5a979aadd951c900c49a2e8225c2234ff8f640e043aad7c16964b
SHA1 hash: 60ab8ee81acd53a694a71b03813a55fcd5150569
MD5 hash: b039934236378c8b46a97bb0b7271faf
humanhash: bacon-glucose-charlie-lactose
File name:FZU0vbnbEyyx42D.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'090'048 bytes
First seen:2020-07-17 05:28:44 UTC
Last seen:2020-07-17 08:41:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:lkhkLxOknwg5W0zlcrT0JdsVIAZPkeJooS6j:l3LFnwZCe30nsVzPzF
Threatray 2'896 similar samples on MalwareBazaar
TLSH D335DFD83920748EC55E8E764E60DC309A243C22F6F7C20A67D33E9F793D597DA161A2
Reporter JAMESWT_WT
Tags:MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.14672.22173.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388932
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5580e34f50f932f27c42e1d2b8551aaed212321a4a519442ee38dadb61ecd7f9/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 18:58:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwaogt2q7ezpe7cc4hjlqvi2v3jbemq2jjiziqxohdnnwypm274q._file
Verdict:
malicious
Similar samples:
10c341f03698c730a4591d844c0d563f19e4a6b87934b45ff0447bd57808bb32
MassLogger
1d9e325f6d234c3d212243a3924f25a2e4acce0db718c57a52480e6994b5e173
MassLogger
27d52d4881c4ef9f8f6dea631a6a635ac7e005a8f5170198dd84fca21d79abc9
MassLogger
3f97dfbae448b3eb28d6f08f666029037d890dc94dbce0e372b4dd2a63fd037f
MassLogger
5e89838b965d79a4782b3f1079a810f8a801c0b91e0cd71081d9580d1b954f70
MassLogger
90ff23943691446d2cf73e28cba8dcd44cc7dc2577cdca70caf839e2331b6447
MassLogger
92276f87f48836d141ee02c8b6f75398ded9a3e4b12b84441e3125933af6c755
MassLogger
a77e9393c4000e96d483a677574a78f004e87837013f7bd1414567d436014b6e
MassLogger
e06e5ba87ec0ed09101fcd62c238777c90c6a59be6bba4ced6890250948e6a4b
MassLogger
f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f
MassLogger
+ 2'886 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200717-xz4rs64v8n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5580e34f50f932f27c42e1d2b8551aaed212321a4a519442ee38dadb61ecd7f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 5580e34f50f932f27c42e1d2b8551aaed212321a4a519442ee38dadb61ecd7f9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/27199/
  
URLhaus
https://urlhaus.abuse.ch/url/413821/
  
Delivery method
Distributed via web download

Comments