MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 596a1c5715dc377f51c2f905f8d80302f1c6e3ea9352da6f1760061b09361d2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	596a1c5715dc377f51c2f905f8d80302f1c6e3ea9352da6f1760061b09361d2b
SHA3-384 hash:	c79aeb42ad845cce2a1df6422454886728825a592338babf1ffd6daa7e187d68332f3d9466397374c74b53cd7a440863
SHA1 hash:	d72c9c8f270cb5b70d1b44dd2bac968aaacd7a26
MD5 hash:	441e44d0a3f55b55e8150e9250d5c20c
humanhash:	wolfram-foxtrot-florida-india
File name:	02_extracted.dll
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	125'440 bytes
First seen:	2021-06-04 06:35:42 UTC
Last seen:	2021-06-04 07:58:53 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	3072:Q3mdUTRx6ByKNhnXNpkcxBbDOL6L0rXA7Jst9Qtfh5R:QWdUTRmyKNhnXzBbDOOIEJ6QD
Threatray	772 similar samples on MalwareBazaar
TLSH	26C3E61A76804B11C58C58B5C1E7993907E7B9CB2B77E3853E9952CA0E413E8CD8B7CE
Reporter	Racco42
Tags:	dll MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/164540/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46328823.16517.28994.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/797114

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/596a1c5715dc377f51c2f905f8d80302f1c6e3ea9352da6f1760061b09361d2b/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-04-17 15:42:53 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Verdict:

malicious

Label(s):

masslogger

MassLogger

150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302

MassLogger

284e6c1be1082009ad41635b412d4a68fda91db0db225edacfcb2d80056e039c

MassLogger

32c68f91ed1fb9707c884eab8b0a0dc11a5a83a3bee9e35616b9c3cba0ef8489

MassLogger

3aeac75dedb84f873b1982843de3adcf11d956f1645eb7a91625de0dd67f1f8a

MassLogger

3f9b5ecaed880f50c6bee7504768aa9f362326666ff2197cc487f0707bff56fa

MassLogger

586d1a857c5a8c41192992c4eb6cf61810e5d7289e761369ff2ac25f173d052d

MassLogger

8506352e60dea0ee05bff79a9408f910850735939399bdf040c40ffdead19d61

MassLogger

89d2c8b2ef681c0e34e5d0f1ecb6aa850c90380a7cced1347bf9f7ed5b3fbd31

MassLogger

bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7

MassLogger

+ 762 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210604-sx45a6pvnn/

Behaviour

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

596a1c5715dc377f51c2f905f8d80302f1c6e3ea9352da6f1760061b09361d2b

MD5 hash:

441e44d0a3f55b55e8150e9250d5c20c

SHA1 hash:

d72c9c8f270cb5b70d1b44dd2bac968aaacd7a26

Link:

https://www.unpac.me/results/d7168fb3-7ddf-455c-abcc-c7d33e27ea89/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/596a1c5715dc377f51c2f905f8d80302f1c6e3ea9352da6f1760061b09361d2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/164540/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample