MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa02fea6a68d226223ecaf7220d64ea8fd7bcb4c136133d00c88ef94e78b954b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa02fea6a68d226223ecaf7220d64ea8fd7bcb4c136133d00c88ef94e78b954b
SHA3-384 hash: ffdc67ebe9b328330bab31105eeae13cafbe471230fba34cd8a68c5ebbb7c7bf5949239c34e02116860d2f50d818ed89
SHA1 hash: ae612fd6b75cc02c06411f4d33f3561a2b2d16ef
MD5 hash: 5d78ff6a171210e8f566ec2dca0390a7
humanhash: nine-alanine-mockingbird-fourteen
File name:5d78ff6a171210e8f566ec2dca0390a7.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:659'456 bytes
First seen:2020-11-09 13:39:18 UTC
Last seen:2020-11-09 16:02:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+2HSyOZjHZ9h1B+lMEAaGb78/4wK6UGSg6iCR67gR3XWgInxi/:31qLhuCCGbzb6UGSqk68XW1xK
Threatray 488 similar samples on MalwareBazaar
TLSH A6E4D035734FA7B8C6EC7E34901820930310F6E69C5BB01E6F45BE9D7AE1E99005A7E6
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.276.13758.21229.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/526412
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312296 Sample: XT4x3vxs5P.exe Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 79 Antivirus detection for dropped file 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 9 other signatures 2->85 9 XT4x3vxs5P.exe 7 2->9         started        13 tty.exe 2 2->13         started        process3 file4 63 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 9->63 dropped 65 C:\Users\user\AppData\...\sysmx9.exe.lnk, MS 9->65 dropped 67 C:\Users\user\AppData\...\XT4x3vxs5P.exe.log, ASCII 9->67 dropped 89 Writes to foreign memory regions 9->89 91 Allocates memory in foreign processes 9->91 93 Injects a PE file into a foreign processes 9->93 15 svhost.exe 15 8 9->15         started        20 cmd.exe 1 9->20         started        22 cmd.exe 3 9->22         started        24 cmd.exe 1 9->24         started        26 conhost.exe 13->26         started        signatures5 process6 dnsIp7 69 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.182.194, 49719, 80 AMAZON-AESUS United States 15->69 71 nagano-19599.herokussl.com 15->71 73 api.ipify.org 15->73 57 C:\Users\user\AppData\Local\Temp\4\tty.exe, PE32 15->57 dropped 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->75 77 Adds a directory exclusion to Windows Defender 15->77 28 cmd.exe 1 15->28         started        30 cmd.exe 1 15->30         started        32 powershell.exe 24 15->32         started        34 reg.exe 1 1 20->34         started        37 conhost.exe 20->37         started        59 C:\Users\user\AppData\Local\...\sysmx9.exe, PE32 22->59 dropped 39 conhost.exe 22->39         started        61 C:\Users\user\...\sysmx9.exe:Zone.Identifier, ASCII 24->61 dropped 41 conhost.exe 24->41         started        file8 signatures9 process10 signatures11 43 tty.exe 28->43         started        45 conhost.exe 28->45         started        47 timeout.exe 1 28->47         started        49 conhost.exe 30->49         started        51 schtasks.exe 1 30->51         started        53 conhost.exe 32->53         started        87 Creates an undocumented autostart registry key 34->87 process12 process13 55 conhost.exe 43->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa02fea6a68d226223ecaf7220d64ea8fd7bcb4c136133d00c88ef94e78b954b/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 10:23:40 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vibp5jvgrurgei7mv5zcbvsovd6xxs2mcnqthuamrdxzjz4lsvfq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0393a3472d5f00efa4ab91bc086a1908741e10b84925190ff00cb948391a28a8
MassLogger
061e4c2aaf9eb384ce88acacafa133185ede67c01c1ad01d1949218e04901c6b
MassLogger
09d68059fed3b8a9e940eb293662b084cd4bed04b714db17baaefe1c8845458b
MassLogger
18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4
MassLogger
1bdf22fa4a18737b696478210fe7a4eaf65fa8d1efffc82c675bd23efa8b938b
MassLogger
401b953b523b658a53f5da322b332176946c201d1b2f99c0cdc19f9c77cef0bc
MassLogger
54cbbd379c30bc361abc3b1e262f0a763fcb5482f4b93c6275264759f404dfd8
MassLogger
74d28adc3557d41c3b20e1babb4a9307af0e981e606b505b55a6565c2cbde44c
MassLogger
8e351736ae4bff938f1b59b396f039a6a281c4b8401f918f6b7b52b5c574d330
MassLogger
c449101275bb3598eefd33c8fffa61da3bff7f3b3da684b0a1b8c0ecf4535e7c
MassLogger
+ 478 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/201109-bxw9pnvpm6/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
MassLogger
MassLogger Main Payload
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe aa02fea6a68d226223ecaf7220d64ea8fd7bcb4c136133d00c88ef94e78b954b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/799148/
  
Delivery method
Distributed via web download

Comments