MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a8823b9448d287d781bfaa8eb6b974ed4298a2fb73e6ffc2b9327d8943d238ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
MassLogger
Vendor detections: 8
| SHA256 hash: | a8823b9448d287d781bfaa8eb6b974ed4298a2fb73e6ffc2b9327d8943d238ba |
|---|---|
| SHA3-384 hash: | 5959f1e6fd467d7678883798f898ae7a5356f6c711b910516c90756b74aedefaf1ddbd073545239ee9159000f7c4dc10 |
| SHA1 hash: | 7d7ded79bdb15212533141a249a1a71b37d7597a |
| MD5 hash: | d8bd67685d3a0411abaf7b77a5eaff15 |
| humanhash: | freddie-mirror-comet-juliet |
| File name: | MERA Tiernahrung Tents Chile.exe |
| Download: | download sample |
| Signature | MassLogger |
| File size: | 2'685'440 bytes |
| First seen: | 2020-11-07 10:23:22 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 1536:AXDAecBU4OQy+qP2ivVKY/ceaXeq4YFcBikOa3l4Dnq7ODQ0hdyD0r5tTpsmSbFv:uR |
| Threatray | 569 similar samples on MalwareBazaar |
| TLSH | 8AC5F5E071C65F7AC7CA424F30590E3D1DE27DE8A792BB88C6F257F7A912B910B25805 |
| Reporter |  abuse_ch |
| Tags: | exe MassLogger |
Intelligence
File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Masson
Status:
Malicious
First seen:
2020-11-06 21:45:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
masslogger
Similar samples:
+ 559 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Score:
10/10
Tags:
family:masslogger spyware stealer
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
6bb6e726b77d523e42f867d853c6501ec4a93bed27d406f9e48b6d6b93c21b0e
MD5 hash:
1f6026b027fc2cd1294305a24be912fd
SHA1 hash:
228422ff9a8ce9cfdb0cc0d4caf58002b33401e7
SH256 hash:
da60f26450794784be8bfe57050169ca95cf99badbe6a727eef854e59bc1adcc
MD5 hash:
f987199a065979afe5fa6f39a608a143
SHA1 hash:
fb65ee0c81e45dccf76d3289923b8124f51a8508
Detections:
win_masslogger_w0
SH256 hash:
a8823b9448d287d781bfaa8eb6b974ed4298a2fb73e6ffc2b9327d8943d238ba
MD5 hash:
d8bd67685d3a0411abaf7b77a5eaff15
SHA1 hash:
7d7ded79bdb15212533141a249a1a71b37d7597a
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Embedded_PE |
|---|
| Rule name: | Keylog_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Contains Keylog |
| Rule name: | MassLogger |
|---|---|
| Author: | kevoreilly |
| Description: | MassLogger |
| Rule name: | masslogger_gcch |
|---|---|
| Author: | govcert_ch |
| Rule name: | win_masslogger_w0 |
|---|---|
| Author: | govcert_ch |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.