MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90485e8e45ddd80ceb63662e5744c7c834627028fa515442f93a332a34f54ba2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	90485e8e45ddd80ceb63662e5744c7c834627028fa515442f93a332a34f54ba2
SHA3-384 hash:	2f8ce6e338831c9a8397f70c3698ec3a3872468435b26c53ac1bd2b91046e6ab87605626de66a645308eec5702c13fb3
SHA1 hash:	cf2730e004aea5d9d547e0cfc190efc5d896078b
MD5 hash:	350cab86f1a9c872dce2f715d956821a
humanhash:	fillet-tennis-princess-west
File name:	mkrr3KWKWbgmolZ.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'317'888 bytes
First seen:	2020-10-12 06:17:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:jL5TEY9CeyZweLOEcgOvjMBqc3J+C8ehN8F8q5D5wZX6H:jLZwZwmO121J+CjJYH
Threatray	310 similar samples on MalwareBazaar
TLSH	56559CB3935CCAC1DDA957F4111E89A20BA02F5FA4E9E2C81CDDB1FBC738751A190993
Reporter	abuse_ch
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69955/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/488030

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90485e8e45ddd80ceb63662e5744c7c834627028fa515442f93a332a34f54ba2/

Threat name:

ByteCode-MSIL.Backdoor.SpyNoon

Status:

Malicious

First seen:

2020-10-12 03:30:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sbef5dsf3xmaz23dmyxforghza2ge4bi7jiviqxzhizsunhvjora._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76

MassLogger

1fb23de8da95ef200663ec6bffe9a439b6c39927559b5e103a488cf54355ebad

MassLogger

35053de930782e8179e3721c8927c499b71dc9926db872b722fe8b5ec5b300b2

MassLogger

4255ae6b31d6068463b663c1871ac8cee3461b0d3fbf642f96cf9a3e8817803c

MassLogger

792259d9e6e262d17cc54f4b43c8e95cd0be1e533f5e5032a5cdefb9f899a6a2

MassLogger

b0f6052c071380b0413ba33ab5f888442bba649614a7102ade644d7195487bed

MassLogger

b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181

MassLogger

f4b7759a1a42ebd89a61ed697ca26661dff56719bbf254b7b1f400f3cf4487d1

MassLogger

f638e03e33b24d736db2873b3dee14d8312731d040adb93265b99e21b94b3978

MassLogger

+ 300 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

stealer spyware family:masslogger

Link:

https://tria.ge/reports/201012-dpb7m7f4zx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

569c873f0c122929f7e2a97e80efb3ad808ad3258593f62f29efd27d2e12d07b

MD5 hash:

6de808d55f88feab1f7a90f34d51a63f

SHA1 hash:

0890cc63ae5a1a01ed1689296ab75f73bb30c14e

Link:

https://www.unpac.me/results/7977c3f2-bd21-4c43-9bab-4a32e63d814c/

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/7977c3f2-bd21-4c43-9bab-4a32e63d814c/

SH256 hash:

47b3abe130a12f1389e9cbb5a5bd52ff66d83bafde0e9f6d8361426af2bb6187

MD5 hash:

96aa5d24d67e692588233e936b15a8c0

SHA1 hash:

877a276d4b471068e6a35ee5d7fd2b0900a82120

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/7977c3f2-bd21-4c43-9bab-4a32e63d814c/

Parent samples :

dd5b3d947daecc91aa36e124a5bdcb1cb6b10fdb2d905a9a1e067bd6bdb4065b
f5d3f20a5e7fc84496267536833b84b4dce1c5cc168014215f396490c1430857
703698c23e6a2e0a7fa23c5868bb97bccdca0389b47b0ea33a013a959a4a83e6
21ada34a203f6a238393d69d9c0aebc680f65e9eb0a9bc472f558709e85c88ee
90485e8e45ddd80ceb63662e5744c7c834627028fa515442f93a332a34f54ba2
96c020d574c159341ab1d2dd8029637423bf01286bf930a34a5c9af605d01532
3a332f06a7eef64772601149bd24283ad905cafc1aac7b20035a719ff30bb257

SH256 hash:

90485e8e45ddd80ceb63662e5744c7c834627028fa515442f93a332a34f54ba2

MD5 hash:

350cab86f1a9c872dce2f715d956821a

SHA1 hash:

cf2730e004aea5d9d547e0cfc190efc5d896078b

Link:

https://www.unpac.me/results/7977c3f2-bd21-4c43-9bab-4a32e63d814c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/90485e8e45ddd80ceb63662e5744c7c834627028fa515442f93a332a34f54ba2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe 90485e8e45ddd80ceb63662e5744c7c834627028fa515442f93a332a34f54ba2

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/69955/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample