MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ab8448549ffa379c39811667a25d2e922c6ed440de7ceae541e76b06d315f47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	8ab8448549ffa379c39811667a25d2e922c6ed440de7ceae541e76b06d315f47
SHA3-384 hash:	96c3fe9ad3a850933dddf204c95793ab57c3475346c11b6029627ce59ecf66d1ce02169c8cfd91115658395b34a0d744
SHA1 hash:	e2c55ea0c667200d00eaf33c2e6c1a76a6657b37
MD5 hash:	6beab3fac7e37fd1262de30b6de9f5d0
humanhash:	november-fix-sink-six
File name:	d0f1e2730fd4290948927b1fa6002153.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	593'920 bytes
First seen:	2020-10-03 08:16:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:clcXVy5esjbPEIkLhQa6leVA3L/5t5YTY35f4tUADrhj49HaOZ:hXVyECTleVaL/5PhBkxh4daOZ
Threatray	71 similar samples on MalwareBazaar
TLSH	A0C41251B320D153DB0A9E71C2F2F936032A6D772422DB5A7896B4161A33BDE2C42DDF
Reporter	theDark3d
Tags:	exe malware MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/67887/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.hc.8095.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a file

Reading critical registry keys

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Deleting a recently created file

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/480723

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ab8448549ffa379c39811667a25d2e922c6ed440de7ceae541e76b06d315f47/

Threat name:

ByteCode-MSIL.Backdoor.Crysan

Status:

Malicious

First seen:

2020-10-03 08:18:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rk4ejbkj76rxtq4ycfthujos5ermn3kebxt45lsudz3la3jrl5dq._file

Verdict:

suspicious

MassLogger

290452bb8eb4dfcc3cfb1590c8fb1b44427a3c9f0439ad5855e35bc39537a3a3

MassLogger

29fbab8bb9b5126a998456269799b28b5e879b4f294e15feece36bb594b192c9

MassLogger

3481235147e1800772079eba0f3df848735378b9711d3a11b90141a01de3898b

MassLogger

3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5

MassLogger

6c6c416e7f5f748b6369b4eee9212932740124e375439222cdc649fb2d63d7e5

MassLogger

82f9d45ee92a5f51af44dc11384e5a10fa12fbb46659291dc188a9222d17fc34

MassLogger

878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129

MassLogger

a849f1677b6addf326c029fff0d355c882ff497e23215c840dac2f1388dd9d83

MassLogger

f37537ab1a0c2fd830bf2ea03f299ceccf2d1eb5f8c72be80580a680450da4aa

MassLogger

+ 61 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/201003-h9rmea91me/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Reads user/profile data of web browsers

Checks computer location settings

MassLogger

MassLogger log file

Unpacked files

SH256 hash:

8ab8448549ffa379c39811667a25d2e922c6ed440de7ceae541e76b06d315f47

MD5 hash:

6beab3fac7e37fd1262de30b6de9f5d0

SHA1 hash:

e2c55ea0c667200d00eaf33c2e6c1a76a6657b37

Link:

https://www.unpac.me/results/cc6dbed4-2a0f-4c6b-adbd-9a2758081a24/

SH256 hash:

7995d2a34a862e94e48863c8fa31e7cf117dbeef2db2c5bf93dae489a0f6079e

MD5 hash:

079dc5a67dc20f618f80c084a438b071

SHA1 hash:

2441d7857b675ec2c156f1f2eb8b6411e4a2b742

Link:

https://www.unpac.me/results/cc6dbed4-2a0f-4c6b-adbd-9a2758081a24/

SH256 hash:

1e1da5a6c02a014de8d5d9ab88627eae852ec567a58ee96d357925688a272b5d

MD5 hash:

cb7e5acc1fd5015c272ca08a826c8ba1

SHA1 hash:

5a8842317778020ac09235477d0422e7cad2b8a0

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/cc6dbed4-2a0f-4c6b-adbd-9a2758081a24/

Parent samples :

8ab8448549ffa379c39811667a25d2e922c6ed440de7ceae541e76b06d315f47
c5216e025f487ad72623e702871432afa40739fc1d2b24fca4bcbd7f009d0064
a4d56971577536b2742d89e0ead542a8cd8818a798371d1cd04ec22b3931ec56
e93cf93e8ff851cd540fa165166665bbb0f5bfd1103166686230e9cb810caa05
f4c976f3587362c6138a4dd309aabf2ec5c31f0ebe98b4618a2f52f145ce4a77

SH256 hash:

3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

MD5 hash:

6ded8fcbf5f1d9e422b327ca51625e24

SHA1 hash:

8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

Link:

https://www.unpac.me/results/cc6dbed4-2a0f-4c6b-adbd-9a2758081a24/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8ab8448549ffa379c39811667a25d2e922c6ed440de7ceae541e76b06d315f47

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/67887/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample