MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2d83fb7446e0969d3ffab161cb2d258041c9c0e686de6dc978b334b444b0512. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	d2d83fb7446e0969d3ffab161cb2d258041c9c0e686de6dc978b334b444b0512
SHA3-384 hash:	f4302f53317db98be0726169f44f338bee752faff602225e41609cde4d55c01b8c80aef0ee0b04a7a6c07d1afaafe390
SHA1 hash:	e7e637c86996ad3275595e7f408ed9c3f75e5f4e
MD5 hash:	0fee5ad74a1f6a5cf38332a743ce4246
humanhash:	six-quebec-quebec-london
File name:	0FEE5AD74A1F6A5CF38332A743CE4246
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'159'680 bytes
First seen:	2020-08-27 05:33:55 UTC
Last seen:	2020-08-27 07:19:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:pXdgseMnCyDML1phHWzuB0aDMDzk3a5VOacoVhhuV6nWix:ptg8MLh26B0aoDzkKmoVhhu
Threatray	439 similar samples on MalwareBazaar
TLSH	2C350246132A8B3DDE48B1BD719040ADE6326A43EF35E1D8EF0B71B9994A55EF05C3C2
Reporter	Anonymous
Tags:	MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

MassLogger

Link:

https://www.capesandbox.com/analysis/51579/

Detection(s):

SecuriteInfo.com.Generic.mg.0fee5ad74a1f6a5c.5751.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/452275

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2d83fb7446e0969d3ffab161cb2d258041c9c0e686de6dc978b334b444b0512/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-08-27 05:35:05 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2lmd7n2enyewtu77vmlbzmwslacbzhaonbw6nxexrmzuwrclauja._file

Verdict:

malicious

MassLogger

332287b244dfebbabac15b5b4dd3fc3bb6f488d3460c2de5259254136040d0e4

MassLogger

35a38e46b89b6145d415c29cf2a3d5c746e2f8b6728fc1a0a4d78865e7ed9b59

MassLogger

36ccd31c1ec6282731d19195236079e96b13c2c387703265ac788f46f1777c95

MassLogger

38fcb333238cb4390662b70073f768dd5928d7995b77747add4f2acc8dff4db0

MassLogger

4a4688aef8ed33c99bda67183d11393956d9e29453ebc230bce72d06f788520a

MassLogger

4cbc170e21690671a4d72358dff18495f7fc2b5278eb331933de84fcebaa7f4e

MassLogger

5f50699c3144405b2458bac5d4ae1c6f9945dc5c91641a91326602d0b387f7b9

MassLogger

89116942312d8a60d9dff7624d4550b1f84def97b0251cb705e705e1d125edcc

MassLogger

f993204d13f7fb5d573fab0a29f3064ab7df3cea32816a6af8df3f22e49c9f81

MassLogger

+ 429 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger

Link:

https://tria.ge/reports/200827-2bwcd9jwhe/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/d2d83fb7446e0969d3ffab161cb2d258041c9c0e686de6dc978b334b444b0512

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51579/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample