MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72c2e8990fede91615555d69a7bfe061476e56e3fd4b4bf86217aa9ae816c571. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72c2e8990fede91615555d69a7bfe061476e56e3fd4b4bf86217aa9ae816c571
SHA3-384 hash: a38682683df185d7e89e0211d17b1e64b064a7cb67f2661a973f0d0acd2b286e79290d0262979e1d050d1b2cd0f378be
SHA1 hash: c3de3b71b61b70be7b00c96d643cbad44f4e0598
MD5 hash: 5fa29b2a0a86144477ff75ad70fe603d
humanhash: tennis-victor-network-avocado
File name:5fa29b2a0a86144477ff75ad70fe603d.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:48'632 bytes
First seen:2020-12-18 16:39:36 UTC
Last seen:2020-12-18 18:33:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:wX5gDp26tbIIdYwJ2TPMGdOxYdslb1R1fcFmFQ6hqx475xfGflvx/FIwJGunVLUf:wX5x6tbIIdYwJ2TPMGdOxYSb1fluCh7r
Threatray 606 similar samples on MalwareBazaar
TLSH 0623A3E9220949D3E19EFB34B293102762339437262F0B6FD1DE23D3D5627912BC5A5B
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5fa29b2a0a86144477ff75ad70fe603d.exe
Verdict:
Malicious activity
Analysis date:
2020-12-18 16:49:37 UTC
Tags:
trojan stealer masslogger evasion
Link:
https://app.any.run/tasks/0aae239b-136c-4dcf-bae3-e8d789b6417c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108451/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45056007.6257.17689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/566493
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332331 Sample: 7cgqAbCuuO.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 92 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected MassLogger RAT 2->38 40 May check the online IP address of the machine 2->40 42 3 other signatures 2->42 7 7cgqAbCuuO.exe 15 3 2->7         started        process3 dnsIp4 28 hastebin.com 172.67.143.180, 443, 49708 CLOUDFLARENETUS United States 7->28 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->44 46 Hides threads from debuggers 7->46 48 Contains functionality to hide a thread from the debugger 7->48 11 7cgqAbCuuO.exe 2 7->11         started        15 WerFault.exe 20 9 7->15         started        18 cmd.exe 1 7->18         started        20 7cgqAbCuuO.exe 7->20         started        signatures5 process6 dnsIp7 30 elb097307-934924932.us-east-1.elb.amazonaws.com 54.243.164.148, 49713, 80 AMAZON-AESUS United States 11->30 32 192.168.2.1 unknown unknown 11->32 34 2 other IPs or domains 11->34 50 Tries to steal Mail credentials (via file access) 11->50 52 Tries to harvest and steal browser information (history, passwords, etc) 11->52 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->26 dropped 22 conhost.exe 18->22         started        24 timeout.exe 1 18->24         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72c2e8990fede91615555d69a7bfe061476e56e3fd4b4bf86217aa9ae816c571/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 16:40:07 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2268c04275e6483759c53e8fc26f983591be004ac63afd19591da079bbf67875
MassLogger
320592aa53514c7fd425f4c691e4be802ca964955d5a6fdd960a8725c36737b4
MassLogger
3251a40b247e2a5428a63e66306667d8fb630f56b0b6d49afd05ed72adcdd731
MassLogger
394460b6c0b33b4e5d45308e968e765627fb9f34d4ad8c51b8922543d6bf2490
MassLogger
3cb1955eec13265edab82971675922208f0ef9d05ee1107bc321be2eb6633ef2
MassLogger
49d9309eac532c0e556de20a5caab67bf0819266c5eee7aeb794472a3f70b3d6
MassLogger
8ea1d5e023c174a65c047ecf0f633ef66ba5adfd58ff0cc09ad084fd31f84278
MassLogger
985aeed489ef3a3af3b21b0adb1bc8a4e7d444522b742bfedee03da6879b7fc8
MassLogger
9eb4a882832362dbb1d183cd5d4f916f3e8d8cef86fd99bddb0cc14b19bc2b57
MassLogger
a8883460eb4eda4b981767c15ae6fadf5dd2c5ff7d8d8325b417bbdf71dece1a
MassLogger
+ 596 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/201218-va14qxsfr6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
72c2e8990fede91615555d69a7bfe061476e56e3fd4b4bf86217aa9ae816c571
MD5 hash:
5fa29b2a0a86144477ff75ad70fe603d
SHA1 hash:
c3de3b71b61b70be7b00c96d643cbad44f4e0598
Link:
https://www.unpac.me/results/1ca733b5-9b0a-453e-b3e3-aaf320fc8ad8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72c2e8990fede91615555d69a7bfe061476e56e3fd4b4bf86217aa9ae816c571

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 72c2e8990fede91615555d69a7bfe061476e56e3fd4b4bf86217aa9ae816c571

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/924829/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108451/

Comments