MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55eac28159a33a69256885d8d0b500028d54c36390d5f7efcb4b48a3849e5ae5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	55eac28159a33a69256885d8d0b500028d54c36390d5f7efcb4b48a3849e5ae5
SHA3-384 hash:	a2104e5be7a71710df967087f584332595adfb9bfbc614726d9b50d564f7a45c73302f0758c34388048cb5fd6c64f9aa
SHA1 hash:	62d956800f2cf4619d6b70c7f4727d6ae7e91efa
MD5 hash:	024b2dadd95d7386aeb3c517d54bb7c1
humanhash:	golf-lemon-ceiling-solar
File name:	Eegxx4iIQwiJwda.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'255'424 bytes
First seen:	2020-08-06 13:54:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:mIYxPeT3XsjJCC8v0O96ltXuvm6r8WunnYC81SZlgV:mIPLckxvLv6VnYCkSjgV
Threatray	721 similar samples on MalwareBazaar
TLSH	DA45D0C2E5409E51EC694A3A4C3389924B33AC5FEF468606349CFA556BF31D66E34F83
Reporter	James_inthe_box
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41253/

Detection(s):

SecuriteInfo.com.Trojan.Inject3.48221.20773.27913.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/414047

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/55eac28159a33a69256885d8d0b500028d54c36390d5f7efcb4b48a3849e5ae5/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-06 09:26:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kxvmfakzum5gsjliqxmnbniaakgvjq3dsdk7p36ljnekhbe6llsq._file

Verdict:

unknown

MassLogger

4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea

MassLogger

81294a847822a4b2b75133370a6b627d8fd2db2470767608522c4229ffa88133

MassLogger

89af10238032ab225e998887850c3910abd7183e67018abfe56b0bdebf2d50d9

MassLogger

96af26169543b638599cd1c9e7b236572c5cdab29c844d7e824b30f0a2cbab16

MassLogger

a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

MassLogger

aa30ea6f5603484a2f71a0fa1429cef880ee018c6b3557ad09708dca055cbb22

MassLogger

ce41031b56cdb4cf97a4c9e24b14ffd16672719457b5a394daa7a4ccb91591bf

MassLogger

cf9aa52cd8829760f779772b7b483ff039100b5d6311c85f969553b6ce66d58b

MassLogger

df68e151234024e309edd6285be6afa2ac21b30fa660f3aefe4417b17ab27400

MassLogger

+ 711 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200806-xt1psbe9qs/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/55eac28159a33a69256885d8d0b500028d54c36390d5f7efcb4b48a3849e5ae5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/426035/

Cape

https://www.capesandbox.com/analysis/41253/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample