MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6f73562c2013f0fe1ef835228ec4e7ff3fe5f9d19b698c4f68bd17b406e783d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	d6f73562c2013f0fe1ef835228ec4e7ff3fe5f9d19b698c4f68bd17b406e783d
SHA3-384 hash:	84542ce8871f480fb2439ab59f8247b05b53cf4da76cb136e760bdc218402f3baef3001fb7c93b64fa1401875961a246
SHA1 hash:	5136205743d67f0e03081d73802c920fc95fa4ea
MD5 hash:	e7f73efb6f431a4dcfd419ed2123e14c
humanhash:	maryland-colorado-eighteen-romeo
File name:	Nqwyfkrohm.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	4'754'944 bytes
First seen:	2022-10-31 15:19:33 UTC
Last seen:	2022-11-03 12:26:55 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:Ib1xvFW77cwfRELxCGRN2qVtP+f1mcwj+sCbIDu4HWMZq6FDwe3NyMXHbjy9yLEC:
Threatray	2'837 similar samples on MalwareBazaar
TLSH	T18D2623F5A0EF8496F147CC9156BCF9A515B231E3EDD90878032EB640CFAED543A48A4E
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	d4c4c4d8ccd4d0c4 (10 x AveMariaRAT, 6 x AgentTesla, 2 x Formbook)
Reporter	cocaman
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Nqwyfkrohm.exe

Verdict:

No threats detected

Analysis date:

2022-10-31 15:20:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cdb4cfbd-fde9-48ea-97e8-00910ac05b4b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/326468/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/635fe7a5736e9d884f0db152/reports/4f087b54-0243-498b-9902-375234bb0711/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/453e5d89-e016-4345-9eee-9aa7febc1136

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1101800

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d6f73562c2013f0fe1ef835228ec4e7ff3fe5f9d19b698c4f68bd17b406e783d/

Threat name:

ByteCode-MSIL.Trojan.Scarsi

Status:

Malicious

First seen:

2022-10-31 10:54:35 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=233tkywcae7q7yppqnjcr3cop7z74x45dg3jrrhwrpixwqdopa6q._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

431259109385ec63af8de3962a7439e71c9361c30051ac30febcda57114e201a

MassLogger

43e3b54c1d828e19d892ef713583915e2e72858be12fe2d0cc5330ecb69b7eea

MassLogger

588572e37df45867b14d17b7892c5337ecce9e618b43ae6aae8ab187c35bbc92

MassLogger

65974a49b0f427641f96866baacf2ab54717f613adc747812061bb05e4dde779

MassLogger

768e07081c36c61c7ca4cc6c996c99e128adb6d137ad5c4f15f14edd17e492ca

MassLogger

8785300bc02bbf034417c477db91c121123b31b1eaf24fc0f74ee11e11ec058c

MassLogger

9c348075ed5b4586cb68c9d794189661b4bcb53c86eff81afd634e29ef9e8369

MassLogger

c1896a9e47fd1fa35cf772baa4dbdd124d946caf14a5fc9ea7e3192de587e8c6

MassLogger

f333b87b79d0fbf142976bb401a082f189b00c49e65a3ad7b1ed5b8f33320ba0

MassLogger

+ 2'827 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/221031-sqrhlscbar/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads user/profile data of web browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8f57b16f-ef70-40ff-a584-53c70b88bd70

Unpacked files

SH256 hash:

d6f73562c2013f0fe1ef835228ec4e7ff3fe5f9d19b698c4f68bd17b406e783d

MD5 hash:

e7f73efb6f431a4dcfd419ed2123e14c

SHA1 hash:

5136205743d67f0e03081d73802c920fc95fa4ea

Link:

https://www.unpac.me/results/3e12b7cf-7b07-4319-bda8-b44b0aba561f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d6f73562c201/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d6f73562c2013f0fe1ef835228ec4e7ff3fe5f9d19b698c4f68bd17b406e783d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

z a015d549105cb1a7522ee546aaea0641067f2e35fdee83dbcb2bca47090f936b

MassLogger

exe d6f73562c2013f0fe1ef835228ec4e7ff3fe5f9d19b698c4f68bd17b406e783d

(this sample)

Delivery method

Other

Dropped by

SHA256 a015d549105cb1a7522ee546aaea0641067f2e35fdee83dbcb2bca47090f936b

Cape

https://www.capesandbox.com/analysis/326468/

Dropped by

MD5 c0b0ccf47d2187e5bd20fca41a114e19

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample