MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c66ed3a40b1964b2d4f5d86214ba8468e0313ae8f340bb91a8059f94318e47c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c66ed3a40b1964b2d4f5d86214ba8468e0313ae8f340bb91a8059f94318e47c
SHA3-384 hash: 09c2f3b3ae0a9e73d9d9c606f1b26afaebb718d7b57053361166c60f9596fec6ca7b3285199aa7816e4ca2b90de38e03
SHA1 hash: f689e652b6fdfbd6fc75552cabc1a7e09423832c
MD5 hash: 97c31d1449bed7aaace13e171905842e
humanhash: washington-eleven-echo-wolfram
File name:PI_PROFORMA093.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:890'456 bytes
First seen:2020-10-15 13:01:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:TniehQ5CQ2LQLQmcO2NIWsTb80X1tuvrQ2c6JXKNZntG9bKn9FBvYjn2YVIXqkN:Tid5C8sjvj0b80lIv02c6sntGUYVG
Threatray 92 similar samples on MalwareBazaar
TLSH 6515F7FC1847183AE7C94976C4325631611AAC8F9F12E2271C1A34BE0DBD8696B7F973
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71405/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492461
Signature
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c66ed3a40b1964b2d4f5d86214ba8468e0313ae8f340bb91a8059f94318e47c/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 09:06:50 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrto2osawglewlkplwdccs5ii2hage5or42axoi2qbm7sqyy4r6a._file
Verdict:
unknown
Similar samples:
071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987
MassLogger
5e110b46db054e7b3b2e12592791e89e76d8baf65c215c1a577ec2016c3c81e5
MassLogger
7ce357f7c3475e91f3dd3880f4fbbaa6d50f7101044b8b24e2ca0ea70981286c
MassLogger
8044dc7f383547fb4d9acfc1bfd1adfe3e6def133317a506b991e5b62a29bc63
MassLogger
84b4040d764a758414d6e7d913161c97846e563eb18e3497f207670f9d239bc8
MassLogger
aac1c7cb39b8c4aaedfeba2909f4128578c4a20015c8029a2c6d1e85d4987244
MassLogger
d24bb55f5d9a39c42a96837653c4821ee9406d0896199db1b54cc3078b002547
MassLogger
d30ef27af1f472767f36dd42663483dd6fed770480aa38f04fd63b32121091e9
MassLogger
d3841ea334da706d4b747eb155cac753018b0b4fd22da4286d935b06cfccd580
MassLogger
e8da65e395c309509563df99675f2ddaa5339b55fd944867a479ffc5d3639946
MassLogger
+ 82 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201015-kc64nyjttn/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
6c66ed3a40b1964b2d4f5d86214ba8468e0313ae8f340bb91a8059f94318e47c
MD5 hash:
97c31d1449bed7aaace13e171905842e
SHA1 hash:
f689e652b6fdfbd6fc75552cabc1a7e09423832c
Link:
https://www.unpac.me/results/688fec94-f953-4323-8f4e-629ad93d34ad/
SH256 hash:
a1cf3a1ae0521ee5fef56ef8f28be97e1454d4e40f83e45dec29574aa03983c2
MD5 hash:
586b9cfe8feb645fafee15161a7048f3
SHA1 hash:
0c4b4c6b94895e92670f6a65953303ce39ae8511
Link:
https://www.unpac.me/results/688fec94-f953-4323-8f4e-629ad93d34ad/
SH256 hash:
ebad6004df3410aed613263692946ffbee737756b99c64b3923c36d22185f449
MD5 hash:
a11eb2cf8117c78d774d46ceb3d37931
SHA1 hash:
a23d0200971861700276745d3f2524c20fb168ba
Link:
https://www.unpac.me/results/688fec94-f953-4323-8f4e-629ad93d34ad/
SH256 hash:
f70c6cdb1fdf0017f5a66ee09a2a71bb6020452c9a0c415a72fbb20c093bcbb3
MD5 hash:
26e90faacd928bbebf1223331b463752
SHA1 hash:
d386039d106edc7f901c814ca5914c5d0240772d
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/688fec94-f953-4323-8f4e-629ad93d34ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/6c66ed3a40b1964b2d4f5d86214ba8468e0313ae8f340bb91a8059f94318e47c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 6c66ed3a40b1964b2d4f5d86214ba8468e0313ae8f340bb91a8059f94318e47c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71405/

Comments