MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6938bb5b3bd1c8666fef0c03e06d654752a1678888eab3946d7d46afa5f4be80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	6938bb5b3bd1c8666fef0c03e06d654752a1678888eab3946d7d46afa5f4be80
SHA3-384 hash:	ef2e9111ce395155ae7b105e29a4e164217f6543b9be5364b9ec86f4d9df0b07d21b7252585240e7ddb254de37ac413e
SHA1 hash:	3cc2d548b5c6812b6b7322a64dfbce31bdcb35cc
MD5 hash:	b1333fc270e4378a88de9c016c0912e9
humanhash:	william-cardinal-happy-music
File name:	b1333fc270e4378a88de9c016c0912e9.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	856'576 bytes
First seen:	2020-10-02 10:50:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:CyuHS2AlG6ollMcsVeuSrMUtSEY1UDLN64zSkK0RVmvXTzPo4dNDX+ZxBt6oLr57:Z0Lca5tSB1U9MkzLmfTc69Xix3JeQ
Threatray	622 similar samples on MalwareBazaar
TLSH	AE05F1BC12589F23CD78017ED0B42384B2F186572255FA84FFED43BA29C27B65B22579
Reporter	abuse_ch
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/480151

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Injects a PE file into a foreign processes

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6938bb5b3bd1c8666fef0c03e06d654752a1678888eab3946d7d46afa5f4be80/

Threat name:

ByteCode-MSIL.Trojan.NanoBot

Status:

Malicious

First seen:

2020-10-02 09:20:15 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ne4lwwz32hegm37pbqb6a3lfi5jkcz4irdvlhfdnpvdk7jpux2aa._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

1eaff8168df5df270c3d844483f5b9b93075c1e0d6a8a5bc8e733d2c039a1fdb

MassLogger

4628c89109f5af8e4e6522f56ddb77abafd801fd38a48d61240987586b4b7dc8

MassLogger

5de3a91f516ff756b450155641e354aebc48ff4701721dde73ef1960bf955b94

MassLogger

7bed2f09d2796f9c8f437f20e993e119d871c364895bec22192d754ee83dc30f

MassLogger

8e04e0705156c53871f3a4f34b4fbd483cf079194b4156a87fcfd961d1ab70d0

MassLogger

b6425efa950d3d45e01f94cf2ea732148a6454a9ebd8b253d18e6f08ebc724e8

MassLogger

d3b42cf65675502e58c7d5e967cec24716e389ccf9beeb8e2decc41913e57979

MassLogger

ec9281b1e4cbbcb084368da146fd13f55d33aa8b7d8214cadbc0f6b707ef893f

MassLogger

fed11233078cad87ccd876c50e08453d3be0f8582e939d2c8890821c7819e86d

MassLogger

+ 612 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware stealer spyware family:masslogger

Link:

https://tria.ge/reports/201002-f252sw3vz2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Unpacked files

SH256 hash:

6938bb5b3bd1c8666fef0c03e06d654752a1678888eab3946d7d46afa5f4be80

MD5 hash:

b1333fc270e4378a88de9c016c0912e9

SHA1 hash:

3cc2d548b5c6812b6b7322a64dfbce31bdcb35cc

Link:

https://www.unpac.me/results/bf8d9166-1bf9-4d22-a077-9dedbf566d62/

SH256 hash:

ceef880e8dd65047331aa2b11c46ae62685364b5758a363c4503bdc014a6179f

MD5 hash:

37fdc1379d5fc04b3fe5b61fb98a3d60

SHA1 hash:

38122fd6394de4863b3ed9a7c2a1185e9a119de8

Link:

https://www.unpac.me/results/bf8d9166-1bf9-4d22-a077-9dedbf566d62/

SH256 hash:

98345b58880e00542a33558fcda01a2cfbb83f8c68aeef660b575418d5496a17

MD5 hash:

ac8dcfe72a7e38abf17abcb99709a841

SHA1 hash:

8a86ce91ee777a1f2b36cb54ade673a1c59f65e3

Link:

https://www.unpac.me/results/bf8d9166-1bf9-4d22-a077-9dedbf566d62/

SH256 hash:

2bec6f0faa3e6a1372e45cc494fd26d121ddf1b735b7a69908b60b0b9edca280

MD5 hash:

22fe3e04ae4a3164e55e5397d2cc8b18

SHA1 hash:

bceff8f05003b902a458bc54ee1be89cee8e5baf

Link:

https://www.unpac.me/results/bf8d9166-1bf9-4d22-a077-9dedbf566d62/

SH256 hash:

8cb46c6ed62c3dcd8d5ff9ecb455843e72ceb7c72110b172ff4e6ac4d9451a34

MD5 hash:

8d77899cb399dc4c91eddb605eebbd3a

SHA1 hash:

f18f33cbc670c26fb78869326cee6e2ec6c69505

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/bf8d9166-1bf9-4d22-a077-9dedbf566d62/

Parent samples :

ee880952ee58fc84d182465b247a4b01e876ff1186cc4ae16ffb94ef44b45700
2f61047689118e21626c8cf55f4400cb7e65bf68684f326609252eb070bfd887
1d6159b26b3bf4e080949b2bb754b3f095b24a084e9d1693f598970cebcf754c
4628c89109f5af8e4e6522f56ddb77abafd801fd38a48d61240987586b4b7dc8
619ae9f6605a4c01851999c358172385764b50bb32abbe80f2d3ed341807c137
7bed2f09d2796f9c8f437f20e993e119d871c364895bec22192d754ee83dc30f
6938bb5b3bd1c8666fef0c03e06d654752a1678888eab3946d7d46afa5f4be80
0ad81d618eb99e9e2e3d820cb7f2ff603bfc3395b74e26cad39a200c93942cd5

SH256 hash:

a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1

MD5 hash:

7c359500407dd393a276010ab778d5af

SHA1 hash:

4d63d669b73acaca3fc62ec263589acaaea91c0b

Link:

https://www.unpac.me/results/bf8d9166-1bf9-4d22-a077-9dedbf566d62/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

MassLogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6938bb5b3bd1c8666fef0c03e06d654752a1678888eab3946d7d46afa5f4be80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

exe 6938bb5b3bd1c8666fef0c03e06d654752a1678888eab3946d7d46afa5f4be80

(this sample)

Cape

https://www.capesandbox.com/analysis/67723/

URLhaus

https://urlhaus.abuse.ch/url/410810/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample