MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f0c0ef8b72bc8ee231fea25cb78b8ddadd17225976e883be73f0b1dc7c7f2fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f0c0ef8b72bc8ee231fea25cb78b8ddadd17225976e883be73f0b1dc7c7f2fa
SHA3-384 hash: 38bb0d40ee3dd17b0a353eedee00faa6b60ab27cdbdace313098ff24175fed5fd0de4ccb075a3ad7b0ec5ea6422e10b0
SHA1 hash: 715cf64fc4d7977d78d63e8b027360944f82695e
MD5 hash: 6c66ad552121ad6a31b68a2d337c7195
humanhash: carbon-charlie-idaho-single
File name:6c66ad552121ad6a31b68a2d337c7195.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:836'608 bytes
First seen:2020-09-26 07:38:01 UTC
Last seen:2020-09-26 08:39:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:xnUvdomKS4IopqtAbCzUduM38kv2Gkt+TYh2Io6EwCT9JdoVsX13Whagd75geY+t:J4FUCYL21tNdEwCT9CsXpWhN6+UHI
Threatray 608 similar samples on MalwareBazaar
TLSH 0705F12066E05F4AD1BD9F7884290D0057F3F603C366EF5EFDE460B91BA6B808B66752
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
MassLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.437.13228.3315.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475728
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f0c0ef8b72bc8ee231fea25cb78b8ddadd17225976e883be73f0b1dc7c7f2fa/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 00:46:11 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4ga56fxfpeo4iy75is4w6fy3ww5c4rfs5xiqo7hh4fr3r6h6l5a._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
048975b189f2d2b114f3ee0b5ac27d5d74d293ceffa551593bf546eff30c8e72
MassLogger
0af074fb50cdce569d93eca7b4c4ba00bd6aca46ebf048be2b41e1d42446f0a9
MassLogger
2926c85cd65bf6dae21e2fd26f57285b0987b76f9dc1d6e33e19f95f96e0f09b
MassLogger
4525a67f95e89fc3f2578b8f5896ab245bb39b6e23073b4160a80ada9c8308bb
MassLogger
4d6b9805be6686ee8a01a91f2e8b949b0aeebd7dcd4ef555cd84e0eb8accc678
MassLogger
61f9e2434845dea706b881d09a70bad95ba36d3f61a83ff892b2b922e3dfab27
MassLogger
6beff4ded7f127b4525fbd2c5ae4894b5f525b8c143814108830e26b9c9a9ec3
MassLogger
7d46a9b93fbb4dd08714ff19e94f51dcf4ad1961fee1c5750d069c9b6e4f78a2
MassLogger
d3ed0d9761ed71f34bc776ea9f593ef1d79fc84ef2741d39c7fb101d66a194b4
MassLogger
f8a621b4900824e4ae9ce13884bfc7e10c9867d0a578c71fe59680fe9523d56c
MassLogger
+ 598 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200926-8me98z4jbj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Unpacked files
SH256 hash:
2d9fadf879d39a8e5e360b33190d8e37832626a47d8fb039177ff9d611b756d8
MD5 hash:
9a2af5b86a43ac4f481df718ad17408a
SHA1 hash:
54adcbf3bad87d4c7a632a1eaa5dbd3237130978
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/d401159e-4b97-4014-99a0-f3be3944264d/
Parent samples :
983d5230e9c25016185e43b439e5d42e5018b0688dff7a354f4ebf282c4ee76f
f94e93ad699e6c297288e50a6661e7e39105b6257af8dc7b0f9a1fd99a09bc03
5f0c0ef8b72bc8ee231fea25cb78b8ddadd17225976e883be73f0b1dc7c7f2fa
92c9a0926da348abc0898bcd4ca5dc955f2c09f14a22b525cc380fa68060154a
0c121b8b0d5cb95df98ef017aee09a33d858d96b3d849c30c8735384c89a22c4
cb554ff729a2e33d8ecc4ec2a6dbce1b35052760d87412682e1b5e678b569225
SH256 hash:
7406b88a3b2980f61e9e99927a0f72ddb1d076031570506a340e3370b4957c22
MD5 hash:
ba455da976451b3e036276b28bdae197
SHA1 hash:
54e5f417cfa5b1c921d75ee64ed39342ec70a723
Link:
https://www.unpac.me/results/d401159e-4b97-4014-99a0-f3be3944264d/
SH256 hash:
785261875049471f6432827571071af39fdb06ec0a223224c12792201a9f66e5
MD5 hash:
e41b095949e16c551511c80acfc18ac2
SHA1 hash:
c1c9299481d8604297151f48ac8c790c9e920504
Link:
https://www.unpac.me/results/d401159e-4b97-4014-99a0-f3be3944264d/
SH256 hash:
0487e8c1407241c842ee9fe969945b11e994c970f66fec4184a55546b029b534
MD5 hash:
9f3227facb76d118c2714b3b134a1dfb
SHA1 hash:
df2c0f9015ef07708e20a12925f0af2c780e1122
Link:
https://www.unpac.me/results/d401159e-4b97-4014-99a0-f3be3944264d/
SH256 hash:
a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1
MD5 hash:
7c359500407dd393a276010ab778d5af
SHA1 hash:
4d63d669b73acaca3fc62ec263589acaaea91c0b
Link:
https://www.unpac.me/results/d401159e-4b97-4014-99a0-f3be3944264d/
SH256 hash:
5f0c0ef8b72bc8ee231fea25cb78b8ddadd17225976e883be73f0b1dc7c7f2fa
MD5 hash:
6c66ad552121ad6a31b68a2d337c7195
SHA1 hash:
715cf64fc4d7977d78d63e8b027360944f82695e
Link:
https://www.unpac.me/results/d401159e-4b97-4014-99a0-f3be3944264d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f0c0ef8b72bc8ee231fea25cb78b8ddadd17225976e883be73f0b1dc7c7f2fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 5f0c0ef8b72bc8ee231fea25cb78b8ddadd17225976e883be73f0b1dc7c7f2fa

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/66020/
  
URLhaus
https://urlhaus.abuse.ch/url/410917/
  
Delivery method
Distributed via web download

Comments