MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 605d33feb84698a586469452610db4eb8c75c256a23f4536ed38fb84110f183b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 605d33feb84698a586469452610db4eb8c75c256a23f4536ed38fb84110f183b
SHA3-384 hash: 1d1e0dd20b45a3c8453897ea50c045c65d229ec5c5659ffb1f9d0033bc8e605ef5b68a9d6889dd1149dda8374b23b0e0
SHA1 hash: 054692ef123ee21175c8a2c8072364514da3ff2f
MD5 hash: df77d8068f687389fea60c2f5de9fdec
humanhash: diet-double-march-nebraska
File name:df77d8068f687389fea60c2f5de9fdec.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'205'760 bytes
First seen:2020-10-13 06:03:20 UTC
Last seen:2020-10-13 07:08:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:4SV/TQEBKGTMfcQiTe/YQKMiEen7AYkOP:1J5TwcXSwQe7A
Threatray 821 similar samples on MalwareBazaar
TLSH 8C459EF139C6686CD52A47718176A1C3F67D32CB3F6A9E0F71DA430C4E25A2B935221B
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
MassLogger SMTP exfil server:
mail.ziv-investment.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70279/
Detection(s):
SecuriteInfo.com.BackDoor.Spy.3770.27781.17465.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489231
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297071 Sample: qpgnZqsuvJ.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected MassLogger RAT 2->39 41 3 other signatures 2->41 7 qpgnZqsuvJ.exe 9 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 27 C:\Users\user\qwejd.exe, PE32 7->27 dropped 29 C:\Users\user\qwejd.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\qpgnZqsuvJ.exe.log, ASCII 7->31 dropped 33 2 other files (none is malicious) 7->33 dropped 53 Drops PE files to the user root directory 7->53 55 Tries to detect virtualization through RDTSC time measurements 7->55 15 cmd.exe 1 7->15         started        17 qwejd.exe 2 7->17         started        19 qwejd.exe 3 11->19         started        signatures5 process6 signatures7 22 reg.exe 1 1 15->22         started        25 conhost.exe 15->25         started        43 Antivirus detection for dropped file 19->43 45 Multi AV Scanner detection for dropped file 19->45 47 Machine Learning detection for dropped file 19->47 49 Tries to detect virtualization through RDTSC time measurements 19->49 process8 signatures9 51 Creates an autostart registry key pointing to binary in C:\Windows 22->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/605d33feb84698a586469452610db4eb8c75c256a23f4536ed38fb84110f183b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 16:28:19 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mboth7vyi2mklbsgsrjgcdnu5oghlqswui7uknxnhd5yieipda5q._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0e7ba6c8acc0e3de5a31e050eb287daba683c992e12c4715730ef3ccf3bbf575
MassLogger
2d3cf92d298fced13bf5f5d9feaf4b68294365bd89496f1bc064da7a418bda5f
MassLogger
367c31b38577406fec107ed639cc6503710de53d8326b92504fd3919105ffce9
MassLogger
4b652aeecc3af929f45e0bf93e3d87b989e58cca29557f8bbdcc33cbd42a521a
MassLogger
5bdd8fcb0b442af74059f57685a3f8dfe24d2d8487e8e5d209e80faccd17d4f3
MassLogger
84e0b5e6daeb11cdca531a22315506ee74a14bd6b0ae9c563fde694aa955867a
MassLogger
b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049
MassLogger
cf68e1b1e8e89cf03b0d721957c794936947c8cf5f8c30401c20e075e4b37c6e
MassLogger
e2ebeb9d7ac12f7465a44a186f2bc83be704f09a003530f40474bb4546769124
MassLogger
e548234adb2b484793484466ef99084bb77854de66782af91e38420a198b4f83
MassLogger
+ 811 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger persistence
Link:
https://tria.ge/reports/201013-3mvg4shy12/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
MassLogger
MassLogger Main Payload
MassLogger log file
Unpacked files
SH256 hash:
605d33feb84698a586469452610db4eb8c75c256a23f4536ed38fb84110f183b
MD5 hash:
df77d8068f687389fea60c2f5de9fdec
SHA1 hash:
054692ef123ee21175c8a2c8072364514da3ff2f
Link:
https://www.unpac.me/results/61f6d181-f648-4339-81ca-2b40164621c4/
SH256 hash:
6f394941be37f2676ff47f42f0b0cf22c0485f6530aad62a00c57c0fc2aa0016
MD5 hash:
624a433314e3401e80431332713a09d0
SHA1 hash:
9d995b6d0b108005aba8e75b21032512100e51d6
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/61f6d181-f648-4339-81ca-2b40164621c4/
SH256 hash:
e3f3f21f1da73f127615d0ce7f20b1159facd9b5015ef223de73dddbcdf1f59a
MD5 hash:
7a4f8f06291d4cff66c36c4963e2d0e6
SHA1 hash:
dfe8b19e175fb63bd891664e11e9f7fa646f4bf1
Link:
https://www.unpac.me/results/61f6d181-f648-4339-81ca-2b40164621c4/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/61f6d181-f648-4339-81ca-2b40164621c4/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/605d33feb84698a586469452610db4eb8c75c256a23f4536ed38fb84110f183b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70279/

Comments