MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbfa5e02ca4acf68dcfa7d286275cf1a6d424d4fe74bf840fc5452cfc3680f1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	cbfa5e02ca4acf68dcfa7d286275cf1a6d424d4fe74bf840fc5452cfc3680f1e
SHA3-384 hash:	be4255629d55fe3a16e51381a60b38720cadc9ea2bd45bd32960313dbd546cd02fa6e3679ec4eac66779a9ad7b354ad8
SHA1 hash:	a42e3993a2e336a6f7d24aa91ef2c6b28306ea14
MD5 hash:	2f2a9adbcd17540b1954f7f0443fa1f6
humanhash:	florida-pluto-echo-mobile
File name:	No.123184.pdf.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	833'024 bytes
First seen:	2020-10-20 08:32:57 UTC
Last seen:	2020-10-20 14:08:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:upeRhwZOztLtiR4g2H6RgX+ZQjA1GUKzod:1riMthi9MEgWQjANKzo
Threatray	365 similar samples on MalwareBazaar
TLSH	92051280119A6F37E27E5FF9101C651DDBF1504A375AE7986FE036EA16D0F808B18E63
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: angelica-agency.com
Sending IP: 156.96.62.59
From: vivi li <vivi.li@angelica-agency.com>
Subject: Payment chance
Attachment: No.123184.pdf.r00 (contains "No.123184.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/73353/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.4670.19031.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Launching a process

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/497367

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cbfa5e02ca4acf68dcfa7d286275cf1a6d424d4fe74bf840fc5452cfc3680f1e/

Threat name:

ByteCode-MSIL.Trojan.Ymacco

Status:

Malicious

First seen:

2020-10-20 01:50:15 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zp5f4awkjlhwrxh2puuge5opdjwuetkp45f7qqh4krjm7q3ib4pa._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99

MassLogger

6bcaa05bb24f934bc0b68c8475610a3a0c1877e279ab50d9fe75144cb369fd1e

MassLogger

70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c

MassLogger

8b1e278db9ecbeda3510a251e207576256e5cfe3171becac7c8b5758f2ca3a9a

MassLogger

a2b0e9c1ea03a3a538fe9ef7f8e6dbf4c08feba8560e238e29fce0dd2f2e144b

MassLogger

b49f4c0a41fe65d3e81919eae65adb01d493e08331e0e3652b30655d55170d52

MassLogger

b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f

MassLogger

ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de

MassLogger

ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d

MassLogger

+ 355 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger

Link:

https://tria.ge/reports/201020-tma6l8mk4a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

cbfa5e02ca4acf68dcfa7d286275cf1a6d424d4fe74bf840fc5452cfc3680f1e

MD5 hash:

2f2a9adbcd17540b1954f7f0443fa1f6

SHA1 hash:

a42e3993a2e336a6f7d24aa91ef2c6b28306ea14

Link:

https://www.unpac.me/results/b2a2f0cd-48c0-4c9f-963b-a897d9c03934/

SH256 hash:

c4d781d4c91853bdad84cd8dde6a822b59d3ace1ef107a80035ce8a0f2165770

MD5 hash:

eb67a9510c39844e7c9601f81a121254

SHA1 hash:

166f4cdc73b2e38726dbaeed1d3b2d457247741a

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/b2a2f0cd-48c0-4c9f-963b-a897d9c03934/

Parent samples :

8b1e278db9ecbeda3510a251e207576256e5cfe3171becac7c8b5758f2ca3a9a
619b085c56b844d270db1303e56303fd9ba4575a032c04ab7021e9916eecca5c
b49f4c0a41fe65d3e81919eae65adb01d493e08331e0e3652b30655d55170d52
cbfa5e02ca4acf68dcfa7d286275cf1a6d424d4fe74bf840fc5452cfc3680f1e

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/b2a2f0cd-48c0-4c9f-963b-a897d9c03934/

SH256 hash:

49e2ca86bbde5474d77aa40424e99c425406241fa9d135cd108d9d4a0bb4f41f

MD5 hash:

34d185f3ff89f5ee545c15cce4b3188e

SHA1 hash:

d9df6bb29402f7175655f34823af05f7dcc2d3f6

Link:

https://www.unpac.me/results/b2a2f0cd-48c0-4c9f-963b-a897d9c03934/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cbfa5e02ca4acf68dcfa7d286275cf1a6d424d4fe74bf840fc5452cfc3680f1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MassLogger Create hunting rule
Author:	kevoreilly
Description:	MassLogger

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf