MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c589c3ffe9498e350a71024049e786772704a42873de61a966779d7794214183. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c589c3ffe9498e350a71024049e786772704a42873de61a966779d7794214183
SHA3-384 hash: 72da3dd98a20d34d2fbbc085ad3407950cafa435492117dc483b664c60c7dfb21de0234d5aac6a9fa63fe5ed54f16e95
SHA1 hash: 7ba01079bff6467a7138621be2e905f9b99a7b00
MD5 hash: 34594608a34303c900bc8ee61fd4f6a8
humanhash: johnny-iowa-skylark-mirror
File name:34594608a34303c900bc8ee61fd4f6a8.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:2'485'248 bytes
First seen:2021-01-17 13:53:10 UTC
Last seen:2021-01-17 15:56:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 49152:PlOz882zrL32curqML7sTk1bxzmC/ec4uWjUUhmR/LH8nb22229222/22222222T:P4zOzrjnqv/1bND2jUUS/K22229222/z
Threatray 186 similar samples on MalwareBazaar
TLSH 8AB52351FB688B41E7841136E6F7383E43A0DA6A6A3397D32F54779A140021B7E4FA4F
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CryptoClient.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 07:10:54 UTC
Tags:
installer teamviewer tvrat rat trojan evasion redline
Link:
https://app.any.run/tasks/e2a6f1d3-805e-4113-b3d6-95d6c9855ee8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112371/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36122303.11296.4043.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583173
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 340625 Sample: 6fAjRmbM4P.exe Startdate: 17/01/2021 Architecture: WINDOWS Score: 100 65 iplogger.org 2->65 67 2no.co 2->67 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 .NET source code contains method to dynamically call methods (often used by packers) 2->79 81 4 other signatures 2->81 8 6fAjRmbM4P.exe 3 5 2->8         started        12 6fAjRmbM4P.exe 2->12         started        14 6fAjRmbM4P.exe 3 2->14         started        16 6fAjRmbM4P.exe 2->16         started        signatures3 process4 dnsIp5 59 C:\Users\user\AppData\...\6fAjRmbM4P.exe, PE32 8->59 dropped 61 C:\Users\...\6fAjRmbM4P.exe:Zone.Identifier, ASCII 8->61 dropped 83 Creates an undocumented autostart registry key 8->83 85 Creates autostart registry keys with suspicious names 8->85 87 Creates multiple autostart registry keys 8->87 89 Drops PE files to the startup folder 8->89 19 WerFault.exe 23 9 8->19         started        22 6fAjRmbM4P.exe 13 8->22         started        25 cmd.exe 1 8->25         started        37 2 other processes 8->37 91 Hides threads from debuggers 12->91 93 Injects a PE file into a foreign processes 12->93 27 6fAjRmbM4P.exe 14->27         started        29 cmd.exe 14->29         started        31 cmd.exe 14->31         started        33 cmd.exe 14->33         started        63 192.168.2.1 unknown unknown 16->63 35 cmd.exe 16->35         started        file6 signatures7 process8 dnsIp9 57 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->57 dropped 69 iplogger.org 88.99.66.31, 443, 49720, 49721 HETZNER-ASDE Germany 22->69 71 2no.co 22->71 39 conhost.exe 22->39         started        41 conhost.exe 25->41         started        43 timeout.exe 1 25->43         started        73 2no.co 27->73 45 conhost.exe 27->45         started        49 2 other processes 29->49 51 2 other processes 31->51 53 2 other processes 33->53 47 conhost.exe 37->47         started        55 3 other processes 37->55 file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c589c3ffe9498e350a71024049e786772704a42873de61a966779d7794214183/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 00:38:34 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
082f1317f03b76584194dc5b800ed466cc1fbef34ef63a6019c2dc1de47212ed
MassLogger
3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5
MassLogger
5637daf1b0a5e312bf2118b89083c186fa32f074a12006ef7df0e49ce51f40c1
MassLogger
6db5c602b2b6eda92f499857a0e0944798b1b2988a004ae06db65d80df3b7145
MassLogger
7c19dad6af8b2138eb289abbf8f64664ddc07f8d9f715445e8774c3bff4fbb02
MassLogger
8a6b671ef4fc65efa1bd306da35f4bf2a18814d1ecf0f868ff2f27177fb37809
MassLogger
e38724644ed4643ebcdea6b0ae8345bf094d9f6e6d81b0acb244f96a3129077e
MassLogger
e846c73b8c02eb9abc0e42d17bb3f3b501e6c4a327d3308b2d16cffa7a813638
MassLogger
f37537ab1a0c2fd830bf2ea03f299ceccf2d1eb5f8c72be80580a680450da4aa
MassLogger
fe40a261819b8c1f1308aaded3d797fd2ade74c2bb23f51deedc4b5b0c0f2d6f
MassLogger
+ 176 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210117-39nmj1dxe2/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
add8287467d7e9b4dfcbc4938e361e2da090415b0e2906aa5af38cb9c30b5516
MD5 hash:
bb59538a9404c6d6e4c2a82383e5891a
SHA1 hash:
f2c5a6028ab5ba36242cce611588f1dab513539f
Link:
https://www.unpac.me/results/50d18a23-36b6-4549-ac42-9e3ed368df47/
SH256 hash:
2c2bc9b2a1b3b51455d3b25b979a917239ffd506deeab9b47295ca59c6f1a8dc
MD5 hash:
8d899e4c60adac8c879fe2b3d52b1af8
SHA1 hash:
f2bc0e7a08028415acd8de4793ce4329c371095a
Link:
https://www.unpac.me/results/50d18a23-36b6-4549-ac42-9e3ed368df47/
SH256 hash:
c589c3ffe9498e350a71024049e786772704a42873de61a966779d7794214183
MD5 hash:
34594608a34303c900bc8ee61fd4f6a8
SHA1 hash:
7ba01079bff6467a7138621be2e905f9b99a7b00
Link:
https://www.unpac.me/results/50d18a23-36b6-4549-ac42-9e3ed368df47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c589c3ffe9498e350a71024049e786772704a42873de61a966779d7794214183

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe c589c3ffe9498e350a71024049e786772704a42873de61a966779d7794214183

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/964737/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112371/

Comments