MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75
SHA3-384 hash:	6cd56609d2700aa47d1ee4c288af3605226817ff2dcd61dec0d8205f29f10678cd474e8f3ee4ce5669a25af3906ecc73
SHA1 hash:	4adc069ac5c7faf89bb43de276b4b462ed7ac820
MD5 hash:	193368c56423d40d89fceb0179bc6970
humanhash:	fourteen-mockingbird-artist-july
File name:	doc7647464.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	2'350'704 bytes
First seen:	2020-10-16 10:25:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:NU3OhQK2cd6pWi1P2kCzu/LmPc/yHyOBTwxpitl6ol:Bh/LkCiKL
Threatray	78 similar samples on MalwareBazaar
TLSH	9EB54E3DADD5223796BAD6B6CAF659CBF912754331126C0E50DB03820A03FAB7DC251E
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: server0.ndarr.com
Sending IP: 192.236.199.38
From: Husnul <servh@gmail.com>
Subject: PO/INV Document
Attachment: doc7647464.lzh (contains "doc7647464.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/493420

Signature

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75/

Threat name:

ByteCode-MSIL.Infostealer.Stelega

Status:

Malicious

First seen:

2020-10-15 10:56:51 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yc4bki2rdx33q4iry3knqspqqmtoekqvvxvrliqd724m4xffnj2q._file

Verdict:

malicious

Label(s):

agenttesla

MassLogger

2149d167c87cf15f48aa1852adcf96c9a62287a26496ff33892ecc67500d3be2

MassLogger

55bca504c5ff798d6c5d4431eff4dda8df6ebfca0db4d86b0f1bf770ff550a0f

MassLogger

6ea011e6a1836355936582525e455b151057c89b7f1780ab52c6f5c4cb19ddad

MassLogger

8f9f89be357d1d17b6281bf9f6caebfa97fdbfcb6aec50e4aa147d0e24e909e7

MassLogger

9b915d2e5f70b859d8c2eafc94bd593d3e53255444a5b4b651dfb9c2523d83d7

MassLogger

b8ad7398bf812d51b21f9ec51b8ffba7d3830dac0a949f09acea087066f4368b

MassLogger

c2c89da1518a4950cedec3129aa86fce21ccec502586e44a7f3b3757b44a1e1c

MassLogger

eed41a2c1215d2ca0ef2022172504a565b7a968e6263e173fceb6f1b1747d795

MassLogger

f4c25b70ae9ea0c7f4a7f028011167b7154ded11a0b8e90b1c7570ba9af1f2f2

MassLogger

+ 68 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger

Link:

https://tria.ge/reports/201016-d3v48e7kta/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75

MD5 hash:

193368c56423d40d89fceb0179bc6970

SHA1 hash:

4adc069ac5c7faf89bb43de276b4b462ed7ac820

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/3dc39183-e327-4653-92be-49f09b3f1940/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

MassLogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.