MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0
SHA3-384 hash:	37c2cbbba8c86762f8c952431b9df9deefd87e4598bf69fbe7e5add9917c9e4fb49d34ddf87b8a413e94aa8ce2ab96aa
SHA1 hash:	272d2d1d36d39977b1bba49b459daf9da2c649b6
MD5 hash:	2c3108b47553181e0a8a63cb3b5c18a5
humanhash:	cardinal-kitten-fourteen-florida
File name:	Account Update.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'130'496 bytes
First seen:	2020-08-28 14:15:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8836e4f6abfa72ef3182b7f05b5a6c57 (2 x MassLogger)
ssdeep	24576:2sVThVVcDQcPGaYrCcUt26lLd7W0Xg/Vcd/MWE:2rQyGDrUl5q0Xg/VU/bE
Threatray	1'687 similar samples on MalwareBazaar
TLSH	E835C062B2E04877D16326388D0B97749D3AFE113E28BA862BF5DC4C5F797813835297
Reporter	James_inthe_box
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52363/

Detection(s):

SecuriteInfo.com.BScope.TrojanPSW.Coins.5912.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/453620

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-28 14:14:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4lpswqdbkbytmfw3zpn3u5xrsopcmbodwmggvzroawbs5odu4dqa._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

MassLogger

4967018fdf08c33d3ef1dff0705c487baf936866408f684dcd19e3c2236489e0

MassLogger

4b9f712433c48ac510be9620a98f09883e4c363c2c265c3534a381c3cc17b932

MassLogger

92227e0112ce45a2da5a726b14a6b573781f3da9e420c952fd10f6b22ca9c2b2

MassLogger

9a8f261bab8c9489b141b7a1cadd5a780d436c33506824d8b4efa709501c98c1

MassLogger

a5db59c39cc0fde14b20829d7dea9e83ad5b4d80d66a22e91a392990143f41a4

MassLogger

afbeeeca14708e4c14b7c1b520c4c12830357b48297e55e08cdd1984acc35b60

MassLogger

d2933e861da953c30de4108d055a6750734788b34ec9691f9d698f901d803f67

MassLogger

d991c4c55e78d7c284d5ba259c54daddf1bef288367fcc36483bcdbd8555b245

MassLogger

f82a52effa51884de08379c6dc8469747a136b89197740c03f926b035b9a1679

MassLogger

+ 1'677 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx spyware

Link:

https://tria.ge/reports/200828-3lp6n7xk9a/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/52363/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample