MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 758eab6db6c23b1d0163bb7fc6ba684d507cbec32326d0c0773a1b8da0abfe6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 758eab6db6c23b1d0163bb7fc6ba684d507cbec32326d0c0773a1b8da0abfe6b
SHA3-384 hash: a7336bab703692c0a3db8da7c65a0abefbdca2fb976b33cb06ef1e47ac8525be5b3d003139dd18e76f1ec747bd385e5e
SHA1 hash: 709bab3dd69e76171b525770be72524fd3ae8df9
MD5 hash: 8fba7a5588916f139b2d03039e34c75c
humanhash: kansas-zulu-fillet-finch
File name:SecuriteInfo.com.Generic.mg.8fba7a5588916f13.10918
Download: download sample
Signature MassLogger
Create hunting rule
File size:4'726'128 bytes
First seen:2021-01-15 12:46:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:bItzohhjmPR4LLt9A2/aHt1EvDpyQjegLrGcerGIhPL77s77uN6tYBa7CA/GGMn+:uohhjmPR4LLt9A2/aHt1EvDpyQjegLrP
Threatray 667 similar samples on MalwareBazaar
TLSH B5265F653D4F1AEC24B2F1FBE1B5B66A254ECABF83172AD45321CAD91F17B868414C30
Reporter SecuriteInfoCom
Tags:MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Generic.mg.8fba7a5588916f13.10918
Verdict:
Malicious activity
Analysis date:
2021-01-15 12:50:03 UTC
Tags:
trojan stealer masslogger evasion
Link:
https://app.any.run/tasks/a1ce7a8a-2443-4435-a260-80ad7ee6e745

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Masslogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112207/
Detection(s):
SecuriteInfo.com.Generic.mg.8fba7a5588916f13.10918.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending a UDP request
Reading critical registry keys
Moving a recently created file
Deleting a recently created file
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/582420
Signature
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340248 Sample: SecuriteInfo.com.Generic.mg... Startdate: 15/01/2021 Architecture: WINDOWS Score: 96 40 Found malware configuration 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected MassLogger RAT 2->44 46 4 other signatures 2->46 7 SecuriteInfo.com.Generic.mg.8fba7a5588916f13.exe 3 2->7         started        process3 signatures4 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->48 50 Hides threads from debuggers 7->50 10 SecuriteInfo.com.Generic.mg.8fba7a5588916f13.exe 15 6 7->10         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 2 other processes 7->18 process5 dnsIp6 32 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.66.103, 49721, 80 AMAZON-AESUS United States 10->32 34 nagano-19599.herokussl.com 10->34 36 api.ipify.org 10->36 52 Tries to steal Mail credentials (via file access) 10->52 54 Tries to harvest and steal browser information (history, passwords, etc) 10->54 20 conhost.exe 14->20         started        22 timeout.exe 1 14->22         started        24 conhost.exe 16->24         started        26 timeout.exe 1 16->26         started        38 192.168.2.1 unknown unknown 18->38 28 conhost.exe 18->28         started        30 timeout.exe 1 18->30         started        signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/758eab6db6c23b1d0163bb7fc6ba684d507cbec32326d0c0773a1b8da0abfe6b/
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 12:42:01 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=owhkw3nwyi5r2aldxn74notijvihzpwdemtnbqdxhiny3ifl7zvq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
00d06537a68b605cb75fefa4aa87bfb3bfc9af3a4514044efb4bc293a1d15cd3
MassLogger
3f969605da4bacc22f9ee9b007548571cf143ce243930b9173decc438cb36f8b
MassLogger
41ccbc679c2941a561c736334dd245fdfd0dffef9656a55eede15676a60f55cc
MassLogger
496f26beb33fff369de4e425a51670236f669a0db67be31760363407cb3494ba
MassLogger
7920cfd32426a9f0b8ad80dcae145d1befcfefcaf55faa4ad45870bf0d780c2e
MassLogger
7a4a073fb5cee4010e0c4a19d8dd6cdd65850b64c681410d5fb17751710cccaa
MassLogger
8d1eb18ff38d288d20dc00e1b12d0e7589107c4cf1798f0e9bec81c81a334fe8
MassLogger
939b73fab4762943e2ba55ec3295845a566ec7d0fc11c20bde0860343713f12c
MassLogger
96cc9904f92eba3b9c8e2f90b7096e5174df7eed983bf1f6e43e855dea170003
MassLogger
f82a52effa51884de08379c6dc8469747a136b89197740c03f926b035b9a1679
MassLogger
+ 657 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger ransomware spyware stealer
Link:
https://tria.ge/reports/210115-ggdeqztf2e/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
MassLogger log file
Unpacked files
SH256 hash:
39884f5121fb4dd1b3680d9dfcd641d934e4d661ac93e640658f4a0eff943c7d
MD5 hash:
85ddee4ffa712828d6b688a86f1d7bdd
SHA1 hash:
66eb9d69e3bb64df8c9b29b4d47dc3a5d0f8528f
Link:
https://www.unpac.me/results/5b3e8252-7645-4b07-8f4a-1a4dde22dc1a/
SH256 hash:
a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1
MD5 hash:
7c359500407dd393a276010ab778d5af
SHA1 hash:
4d63d669b73acaca3fc62ec263589acaaea91c0b
Link:
https://www.unpac.me/results/5b3e8252-7645-4b07-8f4a-1a4dde22dc1a/
SH256 hash:
84ecbad107cfa8012799c66f98d0e20fb3b8fb269d8c5c198a0f76f25e2c7902
MD5 hash:
84727a5600fc38bca121e62b110d9486
SHA1 hash:
2ec9155061e3185bf397276d146704d9f852adac
Link:
https://www.unpac.me/results/5b3e8252-7645-4b07-8f4a-1a4dde22dc1a/
SH256 hash:
bbf45d1508f61aa54ff58c8b8b9dcb81428b08f1d8112fb21880d0b93e2b1895
MD5 hash:
b3f12cf9bad6009690207107b46f999f
SHA1 hash:
9c818d553e37619cef90f708d7db0303a040b283
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/5b3e8252-7645-4b07-8f4a-1a4dde22dc1a/
SH256 hash:
d9f7f55fb1d90d611e3ddd074fa50c7f8565896d63b3c3cf960b519b7d906f45
MD5 hash:
4767465babe8291eb2318eae6e94bb75
SHA1 hash:
29dd0d32452de90d860a2ae2a74ae563adc312fe
Link:
https://www.unpac.me/results/5b3e8252-7645-4b07-8f4a-1a4dde22dc1a/
SH256 hash:
758eab6db6c23b1d0163bb7fc6ba684d507cbec32326d0c0773a1b8da0abfe6b
MD5 hash:
8fba7a5588916f139b2d03039e34c75c
SHA1 hash:
709bab3dd69e76171b525770be72524fd3ae8df9
Link:
https://www.unpac.me/results/5b3e8252-7645-4b07-8f4a-1a4dde22dc1a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/758eab6db6c23b1d0163bb7fc6ba684d507cbec32326d0c0773a1b8da0abfe6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 758eab6db6c23b1d0163bb7fc6ba684d507cbec32326d0c0773a1b8da0abfe6b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/962712/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112207/

Comments