MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aac2a46338d7fc35f813863709d2622e53fa1a66facefd6133fa69f4d74e1b3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 15


Intelligence 15 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aac2a46338d7fc35f813863709d2622e53fa1a66facefd6133fa69f4d74e1b3b
SHA3-384 hash: d6af95d842000ca70517a62dcee51626e32657a76c045042084313d3344074732af38658c1d83c7fb56a4a51bb3dbef4
SHA1 hash: 12a86907ae9bf3064a4e585bb88a54ca9c4517bd
MD5 hash: a3780d1acea7799523939341e3e2b329
humanhash: michigan-sodium-louisiana-victor
File name:xr7cLQMx2Alb.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:938'496 bytes
First seen:2022-09-16 06:34:31 UTC
Last seen:2022-09-16 06:34:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:tNNzGTYAZN0gGkaoOsiwW0ZzELusJLK1lk6QLP:BGTYAZN0gGkaoOsiwW0Zzek1lk
Threatray 327 similar samples on MalwareBazaar
TLSH T184151914F7F855A5F06EBF30747099054A39BE43697DD74A2BA690890F6B3808CB1FA3
TrID 53.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
12.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.6% (.SCR) Windows screen saver (13101/52/3)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter pmelson
Tags:exe MassLogger VoidRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
xr7cLQMx2Alb.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 06:35:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28562c2d-d7f5-4efe-ab11-517d3e3aeb5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310437/
Detection(s):
Win.Malware.Ursu-9802322-0
Create hunting rule

Win.Packed.Adwarex-9851111-0
Create hunting rule

Win.Packed.Bulz-9891112-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.NWorm.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a window
Sending a custom TCP request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
anti-vm cmd.exe cmstp.exe evasive explorer.exe fingerprint fingerprint greyware keylogger netsh.exe packed packed regasm.exe schtasks.exe stealer update.exe
Link:
https://www.filescan.io/uploads/63241918b564f001cc8d07a2/reports/0831c654-29ad-4793-ad89-7e534b74276a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bcfe715a-6148-432e-ba26-0b3ffc3c7adc
Result
Threat name:
Clipboard Hijacker, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1071412
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to hide user accounts
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 703954 Sample: xr7cLQMx2Alb.exe Startdate: 16/09/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 13 other signatures 2->40 7 xr7cLQMx2Alb.exe 15 5 2->7         started        process3 dnsIp4 30 blackid-4782.portmap.io 138.197.189.80, 4782, 49719 DIGITALOCEAN-ASNUS United States 7->30 32 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 7->32 42 May check the online IP address of the machine 7->42 44 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->46 11 cmd.exe 2 7->11         started        14 cmd.exe 7->14         started        16 cmd.exe 7->16         started        signatures5 process6 signatures7 48 Uses ping.exe to check the status of other devices and networks 11->48 18 conhost.exe 11->18         started        20 chcp.com 1 11->20         started        22 PING.EXE 1 11->22         started        24 conhost.exe 14->24         started        26 chcp.com 1 14->26         started        28 conhost.exe 16->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aac2a46338d7fc35f813863709d2622e53fa1a66facefd6133fa69f4d74e1b3b/
Threat name:
ByteCode-MSIL.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-16 06:35:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlbkiyzy276dl6atqy3qtutcfzj7ugtg7lhp2yjt7ju7jv2odm5q._file
Verdict:
malicious
Similar samples:
102f91266026da7eb656fe30e15fb7eadda1335013bc21ab3e0a986ea1ff7727
MassLogger
32bf6a730cca597011b8e619bad0168190337b8e96db09e2fe214b436d8f2f69
MassLogger
487aca55fa769887d37ff292489f62e9b58afe78aa7242f6143f88ea2fc13023
MassLogger
5d8823c74c9bd0d2b25fd7d4443d4652cb92c2513c6e5e339884619052672880
MassLogger
7fa160e2ee00bd1ace890c6761f0bb81ea43a8937dffb003229dd4b232027a6b
MassLogger
a0824896a6cb88bb0459cd54f5085056cfd2c9733b5cdc75623615e5d61f86c1
MassLogger
b26c95976936054915610598a19dabb10dd52f47b9edbdbadc079d2e91717814
MassLogger
b988c0f23891eb55f3c66c0409aa327da666d9b084d309e1d8907976c36027ed
MassLogger
ef4292a933e33418776d69b89f4cba6fc5acb974eccebd852c0d31cc16161dcc
MassLogger
+ 317 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:quasar botnet:rclient spyware trojan
Link:
https://tria.ge/reports/220916-hccgesaehm/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
blackid-4782.portmap.io:4782
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a0ab9e32-1a60-4620-a220-7663095365c8
Unpacked files
SH256 hash:
aac2a46338d7fc35f813863709d2622e53fa1a66facefd6133fa69f4d74e1b3b
MD5 hash:
a3780d1acea7799523939341e3e2b329
SHA1 hash:
12a86907ae9bf3064a4e585bb88a54ca9c4517bd
Detections:
win_masslogger_w0
Create hunting rule
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/4e6282e0-8166-4d5a-9050-d55221d40f2f/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aac2a46338d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aac2a46338d7fc35f813863709d2622e53fa1a66facefd6133fa69f4d74e1b3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_DLAgent09
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_DLAgent10
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe aac2a46338d7fc35f813863709d2622e53fa1a66facefd6133fa69f4d74e1b3b

(this sample)

  
Link
https://www.virustotal.com/gui/file/aac2a46338d7fc35f813863709d2622e53fa1a66facefd6133fa69f4d74e1b3b/detection
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/310437/

Comments