MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
SHA3-384 hash: 7211d0115801791c86618b10bc723c1974cbad3f7ecfe6d15d68d9dce9f5dafb02e3982bf1d4e45e1fb673b6609594be
SHA1 hash: f84a0360f158946198e3defbe108015107ee2445
MD5 hash: 1fda934a19d67dd8727a2aaab7536770
humanhash: quiet-football-neptune-texas
File name:Halkbank,doc.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:783'872 bytes
First seen:2020-10-15 12:20:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:I/UeqolT/xZgyurGX4Qb4NVVecENOJ9rU06zhPptEfQanA9d18rynLd5Mc/rrxpg:VvWwGoOsHh92hHxanAT18ryLce
Threatray 333 similar samples on MalwareBazaar
TLSH 54F42303A4980370D0BB0AFC35A67667BFD99A0A0123FBE4366D64D7B875F664161C3B
Reporter abuse_ch
Tags:exe geo Halkbank MassLogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71379/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.23712.12050.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492377
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 08:02:33 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhgfcsdgsactbgcfjuxdcpcnwudrv64k4yanrsvipjgfo2pokhba._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
11f3b25ae9fd0ba16395cb35d4d528f5180ecb436d0e095f9f4f0ff1e468e8eb
MassLogger
25f48722bf24e935d7bdca104b416f87424ced29dfec2fbebc817725f09af5f1
MassLogger
553ad8c805d4151e154177bb4fbb1678711306d8eefba081ec36bf0518d4e88f
MassLogger
5c5ebd97c48cdd89aeaf3977c3f7951b5351e88c6e88e09627357fc1e1226c22
MassLogger
67eb81371ab1f5b10fee97f764cc640790bb518fa452554b34ddb4f2f7f74391
MassLogger
6d9aaf59f30c370edf5921da5c9085d00c826c01af55e8dde046b08b2573d8f2
MassLogger
7b7fd4955b651b7279580f7f52d30b7539becf0a637257ee53abeb7dcd03e3e8
MassLogger
b3f2d07e97cfe28deee3a65b8541c48f96f022b52db515b06c635f3b9fcc35ef
MassLogger
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
MassLogger
f9dfd82d610e342a0d0a21dad1df689c979f863ee1b9f978c56dee49c5bfbb69
MassLogger
+ 323 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201015-z236npzkej/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
d2e8fdda571fab2369b8ef03a31599cca12769b671f4b6fdd834be409c69e325
MD5 hash:
7812283b6755d64387b920d1647e23a7
SHA1 hash:
5de53822f2b69758fdd44cd4acff130fd3e1499d
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/1540af48-edca-4327-a8e8-7c80b378a6c1/
Parent samples :
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/1540af48-edca-4327-a8e8-7c80b378a6c1/
SH256 hash:
bf47f373b2f2b2ee8c775507b9e4e8c1d3b56d6f980834bf9b50f6211f792973
MD5 hash:
abf55b5138a9c230452f950ce7de40e4
SHA1 hash:
c7b4af074c9d2f50b4e02b84e17093f8f9a029ac
Link:
https://www.unpac.me/results/1540af48-edca-4327-a8e8-7c80b378a6c1/
SH256 hash:
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
MD5 hash:
1fda934a19d67dd8727a2aaab7536770
SHA1 hash:
f84a0360f158946198e3defbe108015107ee2445
Link:
https://www.unpac.me/results/1540af48-edca-4327-a8e8-7c80b378a6c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71379/

Comments