MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
SHA3-384 hash: e0c660dfb395e81ea9398c31bd6ca4ead26a76eb4e181a6818938c262ea045cd6139fad8377edf99c306eb5072c069ab
SHA1 hash: c61b695772de84df8508b9a740437db3a6da417d
MD5 hash: daec8d2a480411ff1f82b24af4ac7cdf
humanhash: nebraska-vermont-island-four
File name:SecuriteInfo.com.Variant.MSILPerseus.224695.13350.12977
Download: download sample
Signature MassLogger
Create hunting rule
File size:696'320 bytes
First seen:2021-01-25 11:53:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:NKHUp9T4ak14XL+mMVSsAjAuYcVWSMDMVqfBdcmDB:NKmJ4EXL+dVcAuv0dMVqJdc
Threatray 611 similar samples on MalwareBazaar
TLSH 18E4BFAB66E14F51D2743936C372C39486E28B0812B3F365E57B02E75E43F7A3A428D5
Reporter SecuriteInfoCom
Tags:MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.MSILPerseus.224695.13350.12977
Verdict:
Malicious activity
Analysis date:
2021-01-25 11:55:08 UTC
Tags:
evasion trojan stealer masslogger
Link:
https://app.any.run/tasks/7135b59d-f667-4084-9892-b24af1de9b28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
MassLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113700/
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.224695.13350.12977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/589369
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397/
Threat name:
ByteCode-MSIL.Trojan.BMassKeyLogger
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 02:07:33 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6dkzbzegx2udnzl3dncogjtp44zwaxpq5akatyhdoiejlto2olq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
29285c1e0f58e12ace807098090275535b37d6faf0379372b4ae41299cca5c3f
MassLogger
36bb4745d0a342a57dbd7c668aed07e956ff166df4864e21b0770e790f734acc
MassLogger
383c5be68c83202fd20ce29fe47dc6982229ae6bc87349c44216d875554c1d17
MassLogger
3ab0c6de3d72133e9f3cf89b5d6c6bf7feebeaa273a3492aa051d1cc2fde6a33
MassLogger
4f7ce008febd9fe224c7a7cec7d8abf8c0db3611fd14d8aca135041d21d2b45c
MassLogger
97e4b41e30337b05fa008fbb69cbd5f16af2e61067637d1fad45894cfe4c683f
MassLogger
98f14edea3c84946787d020e97f6b161cae2ed419e458434413626b9893c6f62
MassLogger
a04bece1a6910b19011e0736474c73f40567a49986d19ef0a6701fcc301943e2
MassLogger
d02c315a42a4a452a9e78011fbcce66f9f53bab788513d1b6f52e8fc70aa9f3c
MassLogger
ea1d4c5b29018a3134b0b0f1d6cb8055b39e94b5d44e3a6cb18d5cc6b0bfce4e
MassLogger
+ 601 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger ransomware spyware stealer
Link:
https://tria.ge/reports/210125-nmz3d56wnj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Unpacked files
SH256 hash:
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
MD5 hash:
daec8d2a480411ff1f82b24af4ac7cdf
SHA1 hash:
c61b695772de84df8508b9a740437db3a6da417d
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/b118654b-210e-456c-aa1f-6f9437f16198/
Parent samples :
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12
d25dcb3b16529c18136847b6e4b1ce35f63f29d28722a8030fb47eaaf11f5363
fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d
c102f6eeb3bc1106d4201200ca09a72f9b044448d1087db2568078489962563a
48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113700/

Comments