MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9
SHA3-384 hash: 33ec4082f01ae54df5a40f4afa7376792c5a81d37be006327ce7e6a7d3661401f54c119887231f9ad7f63e759984c671
SHA1 hash: f1a9c981746a0faf7439317224709edebb72ac26
MD5 hash: ab5be19947a194e51f29f19188f314a6
humanhash: bakerloo-sierra-minnesota-single
File name:Bc.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:434'688 bytes
First seen:2020-11-24 10:05:34 UTC
Last seen:2020-11-24 13:36:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ay0ex3Fiu839Q4OHdDzvANu8lvkKXp8/sj:vFF2Q4OhMN
Threatray 12 similar samples on MalwareBazaar
TLSH 6E94025BFD4C8532D148823BC6E3152843B5FB07216BD61A398E336879573FA1A4ABDC
Reporter ffforward
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Sending a UDP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545868
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 10:06:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1464e7d26d44d7a83f057056954155a3bec0ee3dfebde5bea8e36945e735c79c
MassLogger
3ca289bac2df826b2d7c4faa05cd9f39a948fdf47872d56ddcfd1a45e60be963
MassLogger
40e91b54dfb08b396759074f6018c28433f771a9c6c66ff5b1789d786c591c87
MassLogger
68c3bc52831c9df86039c85e4e896413bb7ccba3a85827a3ac32909c68e582dd
MassLogger
69c0dfdb136e864341810ac7ac86ce413c9de466d775651e5bf6eeeeebb0e7c2
MassLogger
6e6132e3f3bc119adac878ba65475b581698e8dd7d2169f984bb5eb232f6b3c6
MassLogger
85e74e088eaf61b95d366932ff738a2c100eef6f07960860028af7d789063330
MassLogger
b22d33b348ba648c5f39061bb4e743ed6a52dd57720de34902c093a2f2ac97ab
MassLogger
b8f8eab3a49bec6b9306853e8e5e2da49ba66b5773b259a2d6edfba479d10e85
MassLogger
c582dac0f0f94c07579c35ab71f62b25bf499123d3bea89a33a6b8a80ee3325c
MassLogger
+ 2 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201124-bampt18gls/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
e66f53b4f6d0fac0a1f1f1e19b34d11d2e46d80e298f54e0db1548bc4b9bda37
MD5 hash:
e81797143f5b8fb96dda6d656618ac23
SHA1 hash:
21cc391e8a1b1d019ca3ffe06e6469e8a68c27ca
Link:
https://www.unpac.me/results/e3cc41d8-c8d2-407c-83d0-b3213c1617e4/
SH256 hash:
39fccbb56745793c0d47a91da65879c51a5da95f3c752c893c32e0a5a430a1e9
MD5 hash:
7ec0d258dcf36298a084e4d857be963a
SHA1 hash:
b9981a467c271994a7ade85a4599e7c6f1c78df1
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/e3cc41d8-c8d2-407c-83d0-b3213c1617e4/
Parent samples :
b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9
e95d8b2d7c80f9b47d7c3fb368256962c357404e85f45701a473b6354ca18133
31b06ca8f90f735bd3b209e576db1da2a5ab7f661b58f85eaabcde2181978003
SH256 hash:
b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9
MD5 hash:
ab5be19947a194e51f29f19188f314a6
SHA1 hash:
f1a9c981746a0faf7439317224709edebb72ac26
Link:
https://www.unpac.me/results/e3cc41d8-c8d2-407c-83d0-b3213c1617e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

unknown 0fc74635e66a2a92474ec91ab806b2f7f7a6f6f5392b30afebb6bcbb74bae896

MassLogger

Executable exe b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/849154/
  
Dropped by
SHA256 0fc74635e66a2a92474ec91ab806b2f7f7a6f6f5392b30afebb6bcbb74bae896
  
Delivery method
Distributed via web download

Comments