MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76886075c158597451b514883b75f84fbf5660fc5445de4124662b7aba132cf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76886075c158597451b514883b75f84fbf5660fc5445de4124662b7aba132cf0
SHA3-384 hash: 534aeec134ba06fba1aab660e8689f5f967e5caa72568c102786e1b7c5f6058cb1a5dbeff07471e09a64884edbf46016
SHA1 hash: f476ae52541a5a776ec9b539ed81f94088c745b6
MD5 hash: 3bfe9fdb42bd1f0d60e5cf4234b318c3
humanhash: hotel-maine-xray-iowa
File name:3bfe9fdb42bd1f0d60e5cf4234b318c3.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'286'144 bytes
First seen:2020-08-06 08:24:51 UTC
Last seen:2020-08-06 13:43:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:m6WqIYxPeVZlx/77k588z2PewgltYUNqlW5KxyLV:JWqIPVjxDo8Y2GwgltUlWkxyLV
Threatray 691 similar samples on MalwareBazaar
TLSH 6255D0C1F1409D50DC1A4E3B4D3399924B33AC6BEF06D206349CB6596BF728A6A35F93
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
MassLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40405/
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.227313.27802.7659.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/412657
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76886075c158597451b514883b75f84fbf5660fc5445de4124662b7aba132cf0/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 08:26:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2ega5oblbmxiunvcsedw5pyj67vmyh4krc54qjemyvxvoqtftya._file
Verdict:
unknown
Similar samples:
065011f5098f869c79ff098a104765fa08050cfef16bac98b0944108de1ebee4
MassLogger
0b0537b9f976c4a49f1105bc03d252c0cac7a99b9abdb1a020d2966b6a0b1285
MassLogger
0fd0591e79669d6016acff95109efd434cc39498d83f4ebdaac67c96091e4fa9
MassLogger
2aa941b7340367ad780683ac45b75f8e63b4df7913b4ca6f95e794fd75b36b03
MassLogger
3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a
MassLogger
4c8728146976e30a09321d1e158aeeb46908c54fa8614ccef7fbc9761956eca4
MassLogger
7a844a73345acfd4a047d76088829ba790ae67a7d3a3527feecb290c6dbfc3bd
MassLogger
7cfa62ab7a592f04b4268ad35e2a90739666f9d5e91eaa5808dd8ba11239f43d
MassLogger
bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f
MassLogger
e5caa150b119335b8b2fe8c999f8e801c1e74b010ceb58b794804ea6b4b07c61
MassLogger
+ 681 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger
Link:
https://tria.ge/reports/200806-tb9krxyyss/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76886075c158597451b514883b75f84fbf5660fc5445de4124662b7aba132cf0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 76886075c158597451b514883b75f84fbf5660fc5445de4124662b7aba132cf0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/40405/
  
URLhaus
https://urlhaus.abuse.ch/url/426038/
  
Delivery method
Distributed via web download

Comments