MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 604ba7cdc57afe861bba16c1b768428632b09bde9b4b7bef1a74f52175c14071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	604ba7cdc57afe861bba16c1b768428632b09bde9b4b7bef1a74f52175c14071
SHA3-384 hash:	ecf54463d243ed8acbef880f57f4e377aba398e9e724c8408a02323da0a4050291dbe890c777c08c3923ce3624f1d52d
SHA1 hash:	afafd5d235a9e856a06ab05beb26cfc8b0c0cf54
MD5 hash:	3b5be92579f96de6e29a230c37c4a786
humanhash:	massachusetts-july-march-enemy
File name:	XN33CLWH.EXE
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'059'328 bytes
First seen:	2020-11-18 06:43:15 UTC
Last seen:	2020-11-18 14:39:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:SLxO5mmxXw9NK3s2xHFhREe/P4kuVJDL58yKAqESEcSAmqVmqrEEa7wTx452VmVX:PA23suHbye/veIyKAq8trqPa72452b
Threatray	663 similar samples on MalwareBazaar
TLSH	9C35F1396779AB26E0BC8B7B88505814D3FAEC11D663C51BBCF4F48965E0FE8053164B
Reporter	cocaman
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Agent.EZAG.1745.4773.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Launching a process

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/540404

Signature

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/604ba7cdc57afe861bba16c1b768428632b09bde9b4b7bef1a74f52175c14071/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-11-18 01:00:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mbf2ptofpl7img52c3a3o2ccqyzlbg66tnfxx3y2ot2sc5obibyq._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

0fbe3c1eaa360c2e44eba7d89d9c0383d30d1a4fc80a7cecb9bb0b81c6f4c6aa

MassLogger

1a9a0333c8c544cdf43f51eaa895169513c27bdb818f42bb301d476ac1330672

MassLogger

23cb1d198cca93539a5bdbf18ce44ae3692be0ae968b5fe55e3794ec481aa1cf

MassLogger

4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20

MassLogger

67377c6c2259974077c2b7476f77823862ed6d5c6ce95c579e101b3d0a81b71e

MassLogger

7428f5ccb3fa2d0ba8b295efd15c9acc87674180aa1d3bf71e8b91cd0a038381

MassLogger

9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d

MassLogger

b136291a17e064dd9d44cc454556980107d96da2a0adb1a31eb2db3531b6832a

MassLogger

be978699739f217bd2d71f769d8f16ba1a90c519fd10f19475d4e040f9e7c05c

MassLogger

+ 653 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger spyware stealer

Link:

https://tria.ge/reports/201118-5ts56f87vn/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf