MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: 6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf
SHA3-384 hash: dfe61a8790df8d981c13c2269b889d15a566b87a2527782da5974522a177a9412dea6cb88e52013781d2a8eed0b9cbea
SHA1 hash: eb68218c1d70f3ba00f8190c8171ad1cfa2fb42a
MD5 hash: 45061e4da841c2587d0890148705a142
humanhash: ten-oklahoma-potato-kilo
File name:45061e4da841c2587d0890148705a142.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:416'083 bytes
First seen:2022-08-05 06:53:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (6 x AgentTesla, 6 x MassLogger, 4 x CoinMiner)
ssdeep 6144:UvEN2U+T6i5LirrllHy4HUcMQY61DdreIfa:GENN+T5xYrllrU7QY61ra
TLSH T1A3946D6AFB64321AF577D6F0692792697B397D321F629C5F92C06B082474213B2B031F
TrID 58.8% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
22.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 20047c7c60e0e002 (5 x MassLogger, 2 x Neshta)
Reporter @abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
NL NL
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
45061e4da841c2587d0890148705a142.exe
Verdict:
Malicious activity
Analysis date:
2022-08-05 06:58:00 UTC
Tags:
evasion stealer quasar
Link:
https://app.any.run/tasks/c6e346a1-3a6e-4a85-bfc3-b9097b8c4c1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296578/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Malware.Trojanx-9958312-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Reading critical registry keys
Setting a single autorun event
Launching the process to create tasks for the scheduler
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer greyware keylogger overlay shell32.dll siggen6 swisyn virus
Link:
https://www.filescan.io/uploads/62ecbec89ca9b9bfcbeb1627/reports/d91280fa-1853-4dca-8c88-cab9acb5679d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BluStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/341fd2f5-4e08-4d18-94ec-29d6976688a6
Result
Threat name:
CryptOne, BluStealer, StormKitty
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046601
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Potential malicious icon found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BluStealer
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679096 Sample: Lg3gn9y1Cj.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 93 Potential malicious icon found 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus detection for dropped file 2->97 99 10 other signatures 2->99 11 Lg3gn9y1Cj.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 8 other processes 2->19 process3 dnsIp4 71 C:\Users\user\Desktop\lg3gn9y1cj.exe, PE32 11->71 dropped 73 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->73 dropped 131 Installs a global keyboard hook 11->131 22 icsys.icn.exe 3 11->22         started        27 lg3gn9y1cj.exe 1 11->27         started        133 Changes security center settings (notifications, updates, antivirus, firewall) 17->133 79 127.0.0.1 unknown unknown 19->79 file5 signatures6 process7 dnsIp8 81 192.168.2.1 unknown unknown 22->81 67 C:\Windows\System\explorer.exe, PE32 22->67 dropped 109 Antivirus detection for dropped file 22->109 111 Machine Learning detection for dropped file 22->111 113 Drops executables to the windows directory (C:\Windows) and starts them 22->113 121 2 other signatures 22->121 29 explorer.exe 3 20 22->29         started        115 Writes to foreign memory regions 27->115 117 Allocates memory in foreign processes 27->117 119 Injects a PE file into a foreign processes 27->119 34 AppLaunch.exe 15 3 27->34         started        file9 signatures10 process11 dnsIp12 83 vccmd01.zxq.net 51.81.194.202, 443, 49764, 49766 OVHFR United States 29->83 85 zxq.net 29->85 91 5 other IPs or domains 29->91 75 C:\Windows\System\spoolsv.exe, PE32 29->75 dropped 77 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 29->77 dropped 137 Antivirus detection for dropped file 29->137 139 System process connects to network (likely due to code injection or exploit) 29->139 141 Creates an undocumented autostart registry key 29->141 149 3 other signatures 29->149 36 spoolsv.exe 2 29->36         started        87 icanhazip.com 104.18.114.97, 49753, 80 CLOUDFLARENETUS United States 34->87 89 64.89.4.0.in-addr.arpa 34->89 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->143 145 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->145 147 May check the online IP address of the machine 34->147 151 2 other signatures 34->151 file13 signatures14 process15 file16 65 C:\Windows\System\svchost.exe, PE32 36->65 dropped 101 Antivirus detection for dropped file 36->101 103 Machine Learning detection for dropped file 36->103 105 Drops executables to the windows directory (C:\Windows) and starts them 36->105 107 2 other signatures 36->107 40 svchost.exe 3 4 36->40         started        signatures17 process18 file19 69 C:\Users\user\AppData\Local\stsys.exe, PE32 40->69 dropped 123 Antivirus detection for dropped file 40->123 125 Detected CryptOne packer 40->125 127 Machine Learning detection for dropped file 40->127 129 3 other signatures 40->129 44 spoolsv.exe 40->44         started        47 at.exe 40->47         started        49 at.exe 40->49         started        51 17 other processes 40->51 signatures20 process21 signatures22 135 Installs a global keyboard hook 44->135 53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 conhost.exe 51->59         started        61 conhost.exe 51->61         started        63 13 other processes 51->63 process23
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2022-08-04 17:51:03 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://www.spamhaus.org/query/hash/m4y7enp7pdrc4wqpcubvikjgxnyhvfjfdogl2iwfn66x7rnizo7q._file
Verdict:
malicious
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection evasion persistence stealer
Link:
https://tria.ge/reports/220805-hn7rpshbej/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
BluStealer
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
StormKitty
StormKitty payload
Unpacked files
SH256 hash:
c09affd5fddb9ca441374ffb348376e6f25b9fc4ffa7e4da29fbbdca4c32c043
MD5 hash:
f77ab6497bbf34bc635dc4f790c02ead
SHA1 hash:
416e499335a6dda176d50f532a4c7f067d1d178f
Detections:
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/21e077eb-c9ca-4323-b730-e9b43799ab70/
Parent samples :
a4d4f86889b389430e83bf9d7829e1c9488ac55bd4f9d226e1cc739fe43e54ec
2b661a8e53810cefbc9c2bb09e3aeea5607e6195160f3902bbf2ea7581ec82b5
836cd10659a3fca29d754c77b76c305f6a829e3f44efd9672b82c217628c49eb
66c646381997538bca27a7468229257a02527852ac897ca04d6ea52c3cad82ac
8a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4
308f40c19bcd4f58f5dc1e83713d91a80a2ac8f78b5e03501db556f94c946149
284ce975050009d5c7bce4ad0c02f03a4cf70bad620e10822a4f4ad65e567127
29dbbf1bffa1c271158334e05721f8a7fb76513d5ba0d8c5a5abe267cccdbe4b
e68526e8ebc0cb1342ed01317aa6966d83bea1b71b1285b55b653a512200304c
d178525a986175d484866facf95baa1573a63a1060e5a06346ee4da4932df656
d5adba5715cd10a3c9dcf11d7ab1e30834050eef7513bda558bfe39a53a364ac
6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf
b5141a3c6323449bc7fc031d6eb2073fcbe97754c46eef0d0d8f937b9c2fb5cb
2d127dea1f6345c2027dbf93c109f7d7758f5bb396c9d47caa593a5039c05778
2bf197104a6418c886f206755e3f599ae9b1f90cf9771be981c30f427ecb228c
3704c9065de2c596066dbca893c63b1d12b9264d62cffd92ffc49aaf919b49a5
98d37790e570afd49b7a00192019f6c9e7c84e96069da4daa1b64a6cc88695a8
4a4d5455c9e941082c8c08a96102afc9d33abc40985bfcc00b6bee8c098066fd
SH256 hash:
c213005d8dbb7ad6b40effbd651f32b05efc48bfffd470c64389f536826dde8c
MD5 hash:
554d8a35de804b5f43da29e1124bff4e
SHA1 hash:
5d2ca141e18868d0abfa58e5ea54260e702530c6
Link:
https://www.unpac.me/results/21e077eb-c9ca-4323-b730-e9b43799ab70/
SH256 hash:
6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf
MD5 hash:
45061e4da841c2587d0890148705a142
SHA1 hash:
eb68218c1d70f3ba00f8190c8171ad1cfa2fb42a
Link:
https://www.unpac.me/results/21e077eb-c9ca-4323-b730-e9b43799ab70/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6731f235ff78/report/overview.html
AV coverage:
87.32%
AV detections:
62 / 71
Link:
https://www.virustotal.com/gui/file/6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf/detection/f-6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf-1659658983
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf

YARA Signatures

MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296578/

Comments