MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b095032316de2f43af0557c35dd58ab254928f24a3b8e7cf4cf5c4dbac73ac56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	b095032316de2f43af0557c35dd58ab254928f24a3b8e7cf4cf5c4dbac73ac56
SHA3-384 hash:	109827e3914f1bfa7e475997366ffc432fccec98a0a05fb80c0eb9f80ebd028a2130b3d4d3f151231721cab0b551cd88
SHA1 hash:	cd7a760abd3f6afdb081b849324bb698576ab6ee
MD5 hash:	b42acee965c746ab367e00d50af20c61
humanhash:	october-missouri-hot-march
File name:	nwamamassloga.com.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	6'639'616 bytes
First seen:	2020-12-08 14:42:47 UTC
Last seen:	2020-12-08 17:08:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	98304:1UlCXA168+JSJaeTdnJMYNfULlwcs21M6ozTbbrT4UUEvTBlUTAFLY:uTKEvTo
Threatray	581 similar samples on MalwareBazaar
TLSH	2D66D3543C22325B759A30B499D616E889EE740C29343A27DCE3A8BCE50D95B7CFF472
Reporter	James_inthe_box
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

nwamamassloga.com.exe

Verdict:

Suspicious activity

Analysis date:

2020-12-08 15:13:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/90d6d762-475b-4357-b6f9-11027f86dfe5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

MassLogger

Link:

https://www.capesandbox.com/analysis/107270/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Maria.3.32195.17191.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Launching a process

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/558014

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b095032316de2f43af0557c35dd58ab254928f24a3b8e7cf4cf5c4dbac73ac56/

Threat name:

ByteCode-MSIL.Infostealer.Maslog

Status:

Malicious

First seen:

2020-12-08 11:32:51 UTC

File Type:

PE (.Net Exe)

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wckqgiyw3yxuhlyfk7bv3vmkwjkjfdzeuo4opt2m6xcnxldtvrla._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

1e86893e03f2f3bec014fc26e5fabd65fdfa2ddf14111707d0ef20dadf5bcef9

MassLogger

36a4c21f4c6cc8b615bea7141b510fdd5bbae68ee02b262f8215f88f64cf51f6

MassLogger

47a4029c88bdbdbdee351687832b17219abe30284dd1940322fc7e2d69349235

MassLogger

53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5

MassLogger

a3d5ac40f8cc27fb19a5aeef41569e8c91de45f19609e60af2555fba2540d348

MassLogger

ad7a57d9fe77aaf343581db70a3fd4a434f6a8ae92fa8731622b3ecf12319321

MassLogger

cc3b971f25d0ad410dbe3b7d1d6235041eb36632d0ea6e8d34a6a94e41d79df3

MassLogger

eaf85730591ccc12bafb5bccca1ef5d55e5193dd0b2d5be61048a9a01ad4e520

MassLogger

f56c53c5daebe1f1bfca2b89f2d3c03556661deeb06e7f3a17e94f6a66f162f4

MassLogger

+ 571 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger spyware stealer

Link:

https://tria.ge/reports/201208-w54d55868j/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

b095032316de2f43af0557c35dd58ab254928f24a3b8e7cf4cf5c4dbac73ac56

MD5 hash:

b42acee965c746ab367e00d50af20c61

SHA1 hash:

cd7a760abd3f6afdb081b849324bb698576ab6ee

Link:

https://www.unpac.me/results/c2c6d695-c4a8-4837-9faa-97bf45350321/

SH256 hash:

72965fe39734800f1a9e2fabba28ccb714aafc4b91ae821778362450289cd90b

MD5 hash:

b5b63ed1d4812a4bad736d7cf8ea5c4d

SHA1 hash:

214da544fbfdb3cfc21cd5940c465064f23e02e5

Link:

https://www.unpac.me/results/c2c6d695-c4a8-4837-9faa-97bf45350321/

SH256 hash:

d6bc00b480e8e7413fcd5cfdb19722a2d22ab32ad474f3ee905ab2ff2eb08487

MD5 hash:

1b7ed1d0ce033b95ae752e3df83b8361

SHA1 hash:

62a1dbdc4215596c67bfdd026c2e3199a4d18d47

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/c2c6d695-c4a8-4837-9faa-97bf45350321/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b095032316de2f43af0557c35dd58ab254928f24a3b8e7cf4cf5c4dbac73ac56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/107270/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample