MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3
SHA3-384 hash: 0c16bf5a04ebf967ddc1eebc5df60ca6b3380cdab332378d1d99d4cb3a406953e026f3ff91f84cd9bb3400914f64ba5a
SHA1 hash: a7920c4c4064e1332564d45c43d67f2b0953cf34
MD5 hash: b87ab53adf4d6d5c457a82e707a2d09b
humanhash: river-virginia-green-double
File name:SIC - 127476.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:233'472 bytes
First seen:2020-11-25 14:26:57 UTC
Last seen:2020-11-25 16:48:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:gRnebLAgzgQuQLeY7zeBjmWLcqfUzz5YQafd8MhJ8:gZevxzmQF7zMbwRziQTV
Threatray 1'166 similar samples on MalwareBazaar
TLSH 5334F1037BAA2261C6784A7AD2CF50A1477190072183C7977ACE11472E1F7ED96DAFCB
Reporter James_inthe_box
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105649/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Running batch commands
Connection attempt
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Result
Gathering data
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547049
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322628 Sample: SIC - 127476.exe Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 65 g.msn.com 2->65 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 10 other signatures 2->77 14 SIC - 127476.exe 3 2->14         started        18 msworrd.exe 2 2->18         started        signatures3 process4 file5 63 C:\Users\user\...\SIC - 127476.exe.log, ASCII 14->63 dropped 95 Injects a PE file into a foreign processes 14->95 20 SIC - 127476.exe 4 5 14->20         started        24 SIC - 127476.exe 14->24         started        97 Drops executables to the windows directory (C:\Windows) and starts them 18->97 26 msworrd.exe 18->26         started        28 msworrd.exe 18->28         started        30 msworrd.exe 18->30         started        signatures6 process7 file8 57 C:\Windows\SysWOW64\mssofficee\msworrd.exe, PE32 20->57 dropped 59 C:\Windows\...\msworrd.exe:Zone.Identifier, ASCII 20->59 dropped 79 Creates an autostart registry key pointing to binary in C:\Windows 20->79 32 wscript.exe 1 20->32         started        signatures9 process10 process11 34 cmd.exe 1 32->34         started        process12 36 msworrd.exe 3 34->36         started        40 conhost.exe 34->40         started        file13 61 C:\Users\user\AppData\...\msworrd.exe.log, ASCII 36->61 dropped 81 Antivirus detection for dropped file 36->81 83 Multi AV Scanner detection for dropped file 36->83 85 Detected unpacking (creates a PE file in dynamic memory) 36->85 87 4 other signatures 36->87 42 msworrd.exe 4 2 36->42         started        46 msworrd.exe 36->46         started        signatures14 process15 dnsIp16 69 89.249.74.213, 40511, 49723, 49724 M247GB United Kingdom 42->69 89 Writes to foreign memory regions 42->89 91 Allocates memory in foreign processes 42->91 93 Injects a PE file into a foreign processes 42->93 48 svchost.exe 2 12 42->48         started        signatures17 process18 process19 50 iexplore.exe 48->50         started        process20 52 iexplore.exe 50->52         started        55 iexplore.exe 50->55         started        dnsIp21 67 192.168.2.1 unknown unknown 52->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 01:42:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvto3v3xdeprs4x64o55cgkqxsr26yekfy7thewey54kdk4zd3bq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
15170d0dbe467efc4e38156ed4e03702ae19af44c100d7df7a75c6dbdb7ac587
MassLogger
4791861118e0be776fd14153e2feca7d25f5a91a6c32a997385f5ae272e3d7c8
MassLogger
4a94b062dbb9df940520146d100df5b019795d0f508d7ba89d24eb18725e1608
MassLogger
58d5f679e704a0814342eb3a02eaf780d737c6456e5ae070986330db2fa6dd18
MassLogger
5b10f4a23880b51923a0df3e9e3c37f40eb0d3cc93de7b463da62f936a501385
MassLogger
6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
MassLogger
a7bba5cba33b4320a78cd057e3cdd5169a86e90f6550e997772f4447549fd729
MassLogger
ca62c5cf8e6f3260dbe15a469e90197612af8843d897f65c7fdde87554ebae51
MassLogger
d7e339a5a02ec396fb568be9485047caccf6cc9ac85a8a6448410ed26a75f7e7
MassLogger
f412da03defe68cc6e1f264449adf519a4c5470c51e7b502854f7fbf358f8516
MassLogger
+ 1'156 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence rat
Link:
https://tria.ge/reports/201125-3dplsda4ej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Remcos
Malware Config
C2 Extraction:
89.249.74.213:40511
Unpacked files
SH256 hash:
94379b9aa74e1fe1ceb034c2a38cc66d9dc14cc4694a304590c68334601eea1b
MD5 hash:
b01c3668f57af0806bb9a9b64cebcff0
SHA1 hash:
5bbc80f212f2ad2893f281e2e9ff64339af7090e
Link:
https://www.unpac.me/results/f6a6b23a-317e-48c4-b57c-55e5e68375ee/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/f6a6b23a-317e-48c4-b57c-55e5e68375ee/
SH256 hash:
93d42376bb35a0a7ac651fa9cc6efb636d7dee1a594c5f67039293b651864b41
MD5 hash:
a3d6117ea72839bbb825ce390d3dcc30
SHA1 hash:
1482644d7911335fcc75f1f8001a48751d056fa3
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f6a6b23a-317e-48c4-b57c-55e5e68375ee/
SH256 hash:
8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3
MD5 hash:
b87ab53adf4d6d5c457a82e707a2d09b
SHA1 hash:
a7920c4c4064e1332564d45c43d67f2b0953cf34
Link:
https://www.unpac.me/results/f6a6b23a-317e-48c4-b57c-55e5e68375ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_RemcosRAT
Create hunting rule
Author:abuse.ch
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/105649/

Comments