MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b71afd9d9ddfed028e4235476c6392f1a6d2bbee4c4263c61afcbb1ba1a2b2c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	b71afd9d9ddfed028e4235476c6392f1a6d2bbee4c4263c61afcbb1ba1a2b2c5
SHA3-384 hash:	64550b5a4dedbba6222e5ff7bc5d4a175300a39ad3781b3d7447141347456df583b88bc1b63840f7f0166d4fe4b8e6f4
SHA1 hash:	1488344ccc60301491c66554b666f20074a19b8d
MD5 hash:	6b7fcdeacf68a10513d4ccd01977a219
humanhash:	hydrogen-spring-mike-delta
File name:	NEW738_P7382.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'328'128 bytes
First seen:	2020-10-16 13:40:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:fWbfh8PB7dcoTO2Cc2ROvt+Hgd89VIkevswGYn:QyPB7dhTJjSOMHgd8MrNGI
Threatray	363 similar samples on MalwareBazaar
TLSH	5155D085F6195E0FCDDF0BB94997C524F3B42D060815DA0E6EA87FC87A327902BC1E4A
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: s111-ir-cpanel-trade.maindns.net
Sending IP: 185.165.116.18
From: Kamrul Salami <info.pgpaper@gmail.com>
Reply-To: info@pgpaper.com
Subject: Re:New Order Designs & Specs!!!
Attachment: New order designs & invoice.rar (contains "NEW738_P7382.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/72059/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42621.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Launching a process

Reading critical registry keys

Sending a custom TCP request

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/493722

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b71afd9d9ddfed028e4235476c6392f1a6d2bbee4c4263c61afcbb1ba1a2b2c5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-16 04:14:13 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=w4np3hm537wqfdscgvdwyy4s6gtnfo7ojrbghrq27s5rxincwlcq._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

2366b27cff475b8bd3f0f21d699653b40727717fac97cef2f3328f58f91cf83d

MassLogger

3a0be5a1fff244fa45880b635504af22de4c0357591578aa4b209ca53d3a4ccc

MassLogger

73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba

MassLogger

74561e938b5a4d9966fa56ba62082b6bcc9deecbe62984d1ebfc7db34eaf9f17

MassLogger

8899a90e9da2a5de4afe8ba47e95750e95ec17ede7c31557d7a28243b9756364

MassLogger

8e4ceb651508d097ba20fbb82af157ea25bc12e32caaf7d02247646e4e3c0629

MassLogger

94f3a02a7435ee096c0f5ee7321d8d82ae12826b144bf1c706ebaf6508734450

MassLogger

b46a6149d0b32f6cfc7f99f367b59c62510e3b10cb63e585b0d18a66f8b36761

MassLogger

f010bc0295db81514c87fde7298f3425670ae67f4f24a21f20232a10eb644907

MassLogger

+ 353 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

stealer spyware family:masslogger

Link:

https://tria.ge/reports/201016-znp37h1ha6/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/79d5251a-008b-485d-a9d8-bc0230920cdb/

SH256 hash:

20bed6552f7b8734f91f96e0efe10647e3fb4358db0bd02a6e6431dc03de620e

MD5 hash:

1784ffa4c84683cf1d7039162968f2f9

SHA1 hash:

81b1ea663aa8a6117aa7850b2f42b61d4e57ad86

Link:

https://www.unpac.me/results/79d5251a-008b-485d-a9d8-bc0230920cdb/

SH256 hash:

e2a8241638d05fce22b45a07902957ca2e0303f404eced6ff021604a2cb10557

MD5 hash:

5ff50e928c7e6e4b02e6b36c7b7d934e

SHA1 hash:

8ac0ef5ddf2b7a5aeb3796b3fe24d3f300cc46bf

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/79d5251a-008b-485d-a9d8-bc0230920cdb/

SH256 hash:

1ec40419482e49842da8a13368889bba4f7dceb6fd9a2fba889f82c8ad58c55f

MD5 hash:

bdde99f7e2fff3210c8d5644d83cabf9

SHA1 hash:

2db5e6706d3030009b873de5eea110d1c970ae7f

Link:

https://www.unpac.me/results/79d5251a-008b-485d-a9d8-bc0230920cdb/

SH256 hash:

4f1aac361b403f0dc5b34627b8d2690f634d5e3c3f4dda006c8d1a9037d3563d

MD5 hash:

53ef63d18cff994c692cea5c667c5745

SHA1 hash:

5e9d42f0b1fe8b042efd12f92d70ed8c8ddc3ba7

Link:

https://www.unpac.me/results/79d5251a-008b-485d-a9d8-bc0230920cdb/

SH256 hash:

b71afd9d9ddfed028e4235476c6392f1a6d2bbee4c4263c61afcbb1ba1a2b2c5

MD5 hash:

6b7fcdeacf68a10513d4ccd01977a219

SHA1 hash:

1488344ccc60301491c66554b666f20074a19b8d

Link:

https://www.unpac.me/results/79d5251a-008b-485d-a9d8-bc0230920cdb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/b71afd9d9ddfed028e4235476c6392f1a6d2bbee4c4263c61afcbb1ba1a2b2c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf