MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
SHA3-384 hash:	ec8c5f09da2b173959e8fa17fc1aa44981016f06c10b2adde73e41ef4983dc4981c6739ba394423838ec5ffa5ea4308b
SHA1 hash:	02045ca7467a72c31484ae2d78309ac488d766e8
MD5 hash:	ffd62f96ac2c3e9eed9e141fb3d1954c
humanhash:	arkansas-diet-fifteen-skylark
File name:	PO#854919PI.XLS.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'024'512 bytes
First seen:	2020-10-13 06:47:20 UTC
Last seen:	2020-10-13 08:21:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:K9VE4WTdIQAEy8mHPShtKv/mWr/X1OfpVKEt:KHE47UxjKvlrfQt
Threatray	313 similar samples on MalwareBazaar
TLSH	8825129033A95BA6D27FA3F9532A24402BF531172522F70DAEC22DCF6569F51CA01F63
Reporter	abuse_ch
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70296/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.3009.26487.20242.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Launching a process

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/489278

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-13 06:49:06 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ghna24udedwoucslvrsjphhoaqymjr67kqkwdjwi5iqe2eih43q._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

553ad8c805d4151e154177bb4fbb1678711306d8eefba081ec36bf0518d4e88f

MassLogger

62ddfbbb9039c0671aa08af5d0fdd0fe949eb96e435c631a57e931e4b19743a9

MassLogger

6d9aaf59f30c370edf5921da5c9085d00c826c01af55e8dde046b08b2573d8f2

MassLogger

b3f2d07e97cfe28deee3a65b8541c48f96f022b52db515b06c635f3b9fcc35ef

MassLogger

bced2082dc766d01bcbb3b1ad8da3b6e482caaef683444a76fadb3bd543d26ec

MassLogger

c6c9d96f79bfdb417fb481028ff91843f34cafc277c2f665f43ab48e08889347

MassLogger

d86a036697fc43fa7041bd5e298ff785adcf44c78057f3c1c9db8fa9f694ce64

MassLogger

e0693087d46213280ce4281058ff53b07f433a9b07f4eaebf41314dd724f8e73

MassLogger

e63d9fff34fc1c54b4e9bcb779e8101ca5e65f84d84e153c0788dec7d8ee5d42

MassLogger

+ 303 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger

Link:

https://tria.ge/reports/201013-766vnvxr5a/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

5e7a09956c1e263d2f84a631581e5f76e64716e237d390f4b3669071f22fd90a

MD5 hash:

cd12648c4cd14369f18292477b65589e

SHA1 hash:

02c95076c255539fcd8a77632d48859efa6eaa78

Link:

https://www.unpac.me/results/b5699f8a-838e-440b-bc54-b8e114038c63/

SH256 hash:

d2e8fdda571fab2369b8ef03a31599cca12769b671f4b6fdd834be409c69e325

MD5 hash:

7812283b6755d64387b920d1647e23a7

SHA1 hash:

5de53822f2b69758fdd44cd4acff130fd3e1499d

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/b5699f8a-838e-440b-bc54-b8e114038c63/

Parent samples :

d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/b5699f8a-838e-440b-bc54-b8e114038c63/

SH256 hash:

d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37

MD5 hash:

ffd62f96ac2c3e9eed9e141fb3d1954c

SHA1 hash:

02045ca7467a72c31484ae2d78309ac488d766e8

Link:

https://www.unpac.me/results/b5699f8a-838e-440b-bc54-b8e114038c63/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/70296/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample