MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94146768b29e3662510da98563950de0788ee9cd75bdef337ee65987b7fc124c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	94146768b29e3662510da98563950de0788ee9cd75bdef337ee65987b7fc124c
SHA3-384 hash:	524713761293ceaf1edb97dd8e06cb1d4ea09d1e705bc64ba12e3fec36461077167385575d324ff7fd3ae309aff28d1c
SHA1 hash:	ee937ed55c3f9f139f34d60f36201703275a2527
MD5 hash:	6fc51cfdff5f7cc6830ae03afc4109dd
humanhash:	winter-johnny-single-georgia
File name:	Amended PO4800.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	950'272 bytes
First seen:	2020-11-09 16:17:07 UTC
Last seen:	2020-11-09 17:50:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:2t8DRlzuNY9B/d4/CibBr1+QEP9rVxPryoLuAckNcUG5SXLENCi+O1kkTe85:2EB1cZER9uA6UG5SXiQkTe8
Threatray	558 similar samples on MalwareBazaar
TLSH	3F15E12223997B52E03E97799525200187F1FA27E736C7CEBD8D10DA0B73F845B62B16
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

From: sales <sales3@steelpipeskzn.com>
Subject: Amended PO4800
Attachment: Amended PO4800.zip (contains "Amended PO4800.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.424.20867.2967.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/526661

Signature

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/94146768b29e3662510da98563950de0788ee9cd75bdef337ee65987b7fc124c/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-11-09 12:04:12 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sqkgo2fsty3geuinvgcwhfin4b4i52onow666m364zmypn74cjga._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

787e10aed324cae24ab5136f95deb95efe8715a6bd7ced09028b2ee21d228a5e

MassLogger

91611c980854c78b5da49e48553e20e646e4ab8d74f03fc4b2ced8058e818e66

MassLogger

a558950f60aa2a7e34ac71c8a3013fbf576f485a9468ecfe5fdb0a1abb2cafbe

MassLogger

b5bc74bcee96164cc5419a48594d9aade1ebc15c2dd2544e9caa68c4fc715ed1

MassLogger

c18c5e02d67ca2dea08e13f3731c5dd0f5d8833bf2b606287c97e1d053564b85

MassLogger

c2492c733ead768e887ed1ebb1d1ee48fe059bde4f4650f5674c7c66adcc0dfa

MassLogger

c62984587e756c3238bf4694ed959c509341427c9f06fc4973c0e7f6fb614546

MassLogger

da5de33aa29159ce3331c060ed0da0b17346037aa12960652d67ecc7ba6d44a5

MassLogger

dc241ba360d33151f9653cfc416e88c6637d91c097406965809860a5317b76e6

MassLogger

+ 548 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger spyware stealer

Link:

https://tria.ge/reports/201109-7vepgn2fxn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/94146768b29e3662510da98563950de0788ee9cd75bdef337ee65987b7fc124c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf