MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae8c7f63195f1f39ebf09f87b61fd3f27ced535bf9035900d2f185aa7662f728. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae8c7f63195f1f39ebf09f87b61fd3f27ced535bf9035900d2f185aa7662f728
SHA3-384 hash: 7fd5d19001d9fe60c5e383f4b7d2d3519c33b8e3ce9939e1d0ac89a156b66e59fa9d15b4b4c9b32d098c9ff75bbf9e08
SHA1 hash: 858a305dafe601885529496e021a8562ed5a0ace
MD5 hash: 7e06d7ec5aededfbe490f9ac486a9b8f
humanhash: hot-minnesota-edward-sink
File name:7e06d7ec5aededfbe490f9ac486a9b8f.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'691'136 bytes
First seen:2020-08-06 08:19:16 UTC
Last seen:2020-08-06 13:40:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:IIYxPeVZlxiGfDOsj20rh03r64sLrCm+fUVuJdDBt3M:IIPVjTDxj20103rwLbVult
Threatray 669 similar samples on MalwareBazaar
TLSH FB75E192F5448A11C81A4A3A9D73C5EB5733EC16AF07860332ADF7196FB72896B507C3
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
MassLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40399/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.48221.29312.21826.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412638
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae8c7f63195f1f39ebf09f87b61fd3f27ced535bf9035900d2f185aa7662f728/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 08:21:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
37
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2gh6yyzl4ptt27qt6d3mh6t6j6o2u237ebvsags6gc2u5tc64ua._file
Verdict:
unknown
Similar samples:
20be971374f0ffd1224aafed410fdb30e3340788a7dd80747dd18f3ef0f8168d
MassLogger
26f2d26b01147113e1767023ecad609c6b466ce8ede36831362974f808b5f16e
MassLogger
49406d04e4b7268279ea17e07bdb6e89c1d09b599b5afc2f9e95983db09125ef
MassLogger
7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78
MassLogger
77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43
MassLogger
8fc4747ee4e9b358ddd1dffff19b0b3f5166e8b4ef15257be68d3fa2decb347e
MassLogger
a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4
MassLogger
b6cc6aed76d1b7e069209d41f75b0275cd99154d75672214c039d8bc0e2eae98
MassLogger
dc05645067f3f3ccf6a4e647dcf935c928fd981ef904672603a7ab409488166e
MassLogger
e33ecba374a7d34a6c237fde198844930a82c27199c76f49bc0558e0caf1f4a4
MassLogger
+ 659 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200806-v8xa3sdn9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae8c7f63195f1f39ebf09f87b61fd3f27ced535bf9035900d2f185aa7662f728

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe ae8c7f63195f1f39ebf09f87b61fd3f27ced535bf9035900d2f185aa7662f728

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/426024/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/40399/

Comments