MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d
SHA3-384 hash:	d411d092a71ee7920d145a5c1c51435c361464ffa480fe152af7c10bfa86ca50c95b3352f80ea1167ce93f1f0dd682e4
SHA1 hash:	9547ba9b31f81bc486b44725d7d90f14d6b693c9
MD5 hash:	35ca357195e9df3237072740c0934f38
humanhash:	crazy-leopard-crazy-september
File name:	9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d.bin
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	525'824 bytes
First seen:	2020-09-28 14:47:37 UTC
Last seen:	2020-09-28 15:40:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:k385JsQbbCXl8o22wikYT0nNSZsWrK+9OhYnsRf0gbVcLYPnuKzIMljTwltaoFfG:+UsQal8o22kYTBup6nXg2Lu/lo+o9u
Threatray	246 similar samples on MalwareBazaar
TLSH	8CB48D147A65CA32C36C43B7D1C65E6C83B9C863D5F5EB4A398F52C6090338ACE46BD6
Reporter	JAMESWT_WT
Tags:	implant MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Razy.747050.684.2758.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Adding an access-denied ACE

Reading critical registry keys

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/476527

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d/

Threat name:

ByteCode-MSIL.Trojan.BMassKeyLogger

Status:

Malicious

First seen:

2020-09-28 14:44:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=trfc3bdtogf5wfzfiufw6blhbgaanonkrh55se5mvmn2wccxcq6q._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

047e9f8b825378da0ad294496cbed35ff024c2742993e6eb0d4a1bc94c6bdb02

MassLogger

234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c

MassLogger

9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

MassLogger

a920f6bd5e8cf8734daa7aa6b0a79b3edc9725c436f5b6bdec9a7490792c8298

MassLogger

ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366

MassLogger

b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f

MassLogger

c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca

MassLogger

dd652810ff0fc0288768ac20d5fcc76f7bc517c3ed8b066a18340a8b69c69c3a

MassLogger

f23b9e7560ded009508ff2a4dd75507d7bf087ad69c47fc5320af052d95fa814

MassLogger

+ 236 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200928-m15z887646/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d

MD5 hash:

35ca357195e9df3237072740c0934f38

SHA1 hash:

9547ba9b31f81bc486b44725d7d90f14d6b693c9

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/bf8abbf4-254d-4705-ab95-8f928360da76/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

MassLogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/66450/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample