MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e3be816965fa1326deb7c5536efebe3b514b9fd2aab1b9f67e48fb0c1f81cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	b2e3be816965fa1326deb7c5536efebe3b514b9fd2aab1b9f67e48fb0c1f81cc
SHA3-384 hash:	7f2c896ccb2e4123306e21b15cea3a9bbdd670cf3bd88ed6045b519ca4a5905543949c6bf10a730bc21dad99f2ff65db
SHA1 hash:	1c125aed6626c4c2df6a7cc39deaa01779c7f81f
MD5 hash:	edd61aefb66b5d2a83da809333b27718
humanhash:	minnesota-winter-solar-ink
File name:	InstallUtil
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	524'288 bytes
First seen:	2020-09-30 12:04:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:EoB0oSGobbFtkP2szfWiHpbhM9cPQZNGMOcg1He7sAsAntfpBcIjE6jPNx7DWm:2dbbCNj/P+NochNntX/p1W
Threatray	250 similar samples on MalwareBazaar
TLSH	E6B48B44FAB58A31C66D83B6D1C22D36C3B9C953D0E9EB5939AC56D1190338ACE437CB
Reporter	JAMESWT_WT
Tags:	MassLogger v3.0.7563.31381

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

Win.Packed.Razy-9769683-0

Win.Trojan.Miner-9769768-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Adding an access-denied ACE

Reading critical registry keys

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/478287

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b2e3be816965fa1326deb7c5536efebe3b514b9fd2aab1b9f67e48fb0c1f81cc/

Threat name:

ByteCode-MSIL.Trojan.BMassKeyLogger

Status:

Malicious

First seen:

2020-09-29 09:00:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wlr35aljmx5bgjw6w7cvg3x6xy5vcs472kvldopwpzepwda7qhga._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

3662a3b002337c0da8ad94925e3c183f0a2d35b0932f9d40b89643335f10564d

MassLogger

7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5

MassLogger

9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

MassLogger

ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366

MassLogger

dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced

MassLogger

ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d

MassLogger

f784d412a56ccd414525c22e6b2e7c9482040e89be20fdb1f2e4db0016812ea7

MassLogger

f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45

MassLogger

fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25

MassLogger

+ 240 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200930-zwensbpjan/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

b2e3be816965fa1326deb7c5536efebe3b514b9fd2aab1b9f67e48fb0c1f81cc

MD5 hash:

edd61aefb66b5d2a83da809333b27718

SHA1 hash:

1c125aed6626c4c2df6a7cc39deaa01779c7f81f

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/c3dfa60c-2eca-4477-84c6-2da313afeda3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

MassLogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b2e3be816965fa1326deb7c5536efebe3b514b9fd2aab1b9f67e48fb0c1f81cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/67117/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample