MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7b21f370c7b0322f1ec27c22ece8bb37380c3bed905c5c19fc60eace18eb9b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7b21f370c7b0322f1ec27c22ece8bb37380c3bed905c5c19fc60eace18eb9b8
SHA3-384 hash: f8ca31ae94c185802bfec9aa8af7e26faf8ee0b50faf3d14a48e153103371567c3a0d0081dedd1d25efd1ac54acddfb4
SHA1 hash: c31552bee37d9ac34e5b81294d0177b076234720
MD5 hash: e91f8d7dfd915d4082588211f0a211fc
humanhash: johnny-cardinal-green-muppet
File name:Al-Hbb_Doc-EUR_Pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'331'000 bytes
First seen:2020-11-16 15:31:24 UTC
Last seen:2020-11-16 17:57:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:mdsLNPDP+e79ZSICu0usLo31J7ssKT8lQ29K51lRqGaq68HnFFf:
Threatray 513 similar samples on MalwareBazaar
TLSH E1555CF4509E14A2F25F4536AAAEFDA402B2B587DBCA594C037CF1710BBB7627E0580D
Reporter James_inthe_box
Tags:exe MassLogger

Code Signing Certificate

Organisation:Discord Inc.
Issuer:DigiCert EV Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Mar 14 00:00:00 2018 GMT
Valid to:Feb 18 12:00:00 2021 GMT
Serial number: 04F131322CC31D92C849FCA351D2F141
Intelligence: 17 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 584035E0344227FC32C92A7F3FD4D88594A26C2E953360543D613329E99122DD
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/538044
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318130 Sample: Al-Hbb_Doc-EUR_Pdf.exe Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 12 other signatures 2->56 8 Al-Hbb_Doc-EUR_Pdf.exe 1 6 2->8         started        12 NimsSkype.exe 3 2->12         started        14 NimsSkype.exe 2 2->14         started        process3 file4 32 C:\Users\user\AppData\...32imsSkype.exe, PE32 8->32 dropped 34 C:\Users\...34imsSkype.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\...\Al-Hbb_Doc-EUR_Pdf.exe.log, ASCII 8->36 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Injects a PE file into a foreign processes 8->60 16 Al-Hbb_Doc-EUR_Pdf.exe 15 2 8->16         started        20 NimsSkype.exe 12->20         started        22 NimsSkype.exe 12->22         started        24 NimsSkype.exe 12->24         started        26 NimsSkype.exe 14->26         started        signatures5 process6 dnsIp7 38 smtp.privateemail.com 199.193.7.228, 49749, 587 NAMECHEAP-NETUS United States 16->38 40 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.142.93, 49742, 80 AMAZON-AESUS United States 16->40 42 3 other IPs or domains 16->42 44 Tries to steal Mail credentials (via file access) 16->44 46 Tries to harvest and steal browser information (history, passwords, etc) 16->46 48 Adds a directory exclusion to Windows Defender 16->48 28 powershell.exe 11 16->28         started        signatures8 process9 process10 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7b21f370c7b0322f1ec27c22ece8bb37380c3bed905c5c19fc60eace18eb9b8/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-16 15:29:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6zb6nympmbsf4pme7bc5tulwnzybq563ec4lqm7yyhkzymoxg4a._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
01ed663f821885ce5aecbbfed7ca419743a682a81e535ec89237a88dc1d0c69e
MassLogger
263fefe63ffef92b66516f9de917b4af09783ef5e3b6ba93b030d91c624c7925
MassLogger
35f2b564b92926be5ad794706e1acb2ee4b0b0972ccdeeaa71551ff12e546fd5
MassLogger
474453d6854784248699500221c30a6fb1a755e0a48308e567ea814481387f04
MassLogger
586eadfc1fef3d64e165d65502aa2e27ef8a4ab4079ac1e4d96d4f65e0126a6f
MassLogger
7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5
MassLogger
ae5707f5f0a688fe98d545b88eb0fafcddc9ac9719bc381f3394681c20af59b5
MassLogger
bc0af8fda43937d6a0d717e5be51d3f5a51a67077bc8ca85f031fa5bc08d165a
MassLogger
ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d
MassLogger
f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45
MassLogger
+ 503 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201116-v3d2ec5aae/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
a7b21f370c7b0322f1ec27c22ece8bb37380c3bed905c5c19fc60eace18eb9b8
MD5 hash:
e91f8d7dfd915d4082588211f0a211fc
SHA1 hash:
c31552bee37d9ac34e5b81294d0177b076234720
Link:
https://www.unpac.me/results/55dd21ee-cdf7-4989-8727-424af50df38d/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/55dd21ee-cdf7-4989-8727-424af50df38d/
SH256 hash:
30f51d23c3812982036c9210989adcc83ff1be945b035437cfa87d0199af57cc
MD5 hash:
a8c99c6f0aab802c8f4eaaac3a1383f5
SHA1 hash:
d97d5558a8e2aa17febccdaf4ec94f6ffff855e7
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/55dd21ee-cdf7-4989-8727-424af50df38d/
SH256 hash:
de2d3bfe4345c10bf1d211a8844aced4ddac07403095ccf7fff59e2980c9cc2f
MD5 hash:
47600239df7d2e5dc60c5ad5f71cf401
SHA1 hash:
e3b4d923aa0d7c0b4519bdca2ac9663e6f33bd60
Link:
https://www.unpac.me/results/55dd21ee-cdf7-4989-8727-424af50df38d/
SH256 hash:
92e6a0b5621e88e13cf0f63e18d1af14dd4f53c6296c6128b5400b9eede576c9
MD5 hash:
beb6de164a6ff7a249c5a2eadac96bff
SHA1 hash:
928aa3252367b92a14fc4cc1300b9906376cac34
Link:
https://www.unpac.me/results/55dd21ee-cdf7-4989-8727-424af50df38d/
SH256 hash:
bd4a759c08a06049dbe7560aa907dff597421dc09c564bec4b2ea484ed69e7e3
MD5 hash:
a1ed9210038b458391b5c9e90444e594
SHA1 hash:
fe3a5d9e452725ab868b5ce3327c9aa71e863889
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/55dd21ee-cdf7-4989-8727-424af50df38d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments