MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e630c1d94550061dccd1da06e50b378915870ce4630d646696e9b62fc1e9a8ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e630c1d94550061dccd1da06e50b378915870ce4630d646696e9b62fc1e9a8ff
SHA3-384 hash: a6476f1812333242d27bdabf79cf45b15f176056ae2ebdccbfe5b6f42ec17419624eebba436d94b24ebe1718e27e3324
SHA1 hash: 2598cc33422507fbc3e913ea9f612ac39e0ea1a6
MD5 hash: edbfd9460c7271e1df6cf2c9d18130d4
humanhash: saturn-monkey-black-network
File name:RFQ specification..exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:525'160 bytes
First seen:2020-11-02 14:35:27 UTC
Last seen:2020-11-02 17:02:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:xWMIebSv7vVReP4TYQn0sDTG6R3zhj3+JXnK3HQGN:NevuxQ0s/FFSXnK3wm
Threatray 429 similar samples on MalwareBazaar
TLSH D4B40FB440FE5062E15B682466AFBDA401B2FDC7DFC66A0D237CFD303AB9A52B61450D
Reporter James_inthe_box
Tags:exe MassLogger

Code Signing Certificate

Organisation:Adobe Inc.
Issuer:DigiCert EV Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jan 31 00:00:00 2019 GMT
Valid to:Feb 3 12:00:00 2021 GMT
Serial number: 06F24D9F4DB07BD7ECAD067F5EE26C29
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: F1D08D7B98504370C1D5C40DCD8D8DCEAB084E9095CEF544465C445A374A18B0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81813/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.2699.25437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518210
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308205 Sample: RFQ specification..exe Startdate: 02/11/2020 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 10 other signatures 2->57 6 RFQ specification..exe 16 6 2->6         started        11 vlc.exe 2 2->11         started        13 vlc.exe 14 3 2->13         started        process3 dnsIp4 31 s317996.smrtp.ru 188.127.225.2, 49703, 49707, 49708 DHUBRU Russian Federation 6->31 25 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 6->25 dropped 27 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 6->27 dropped 29 C:\Users\user\...\RFQ specification..exe.log, ASCII 6->29 dropped 59 Injects a PE file into a foreign processes 6->59 15 RFQ specification..exe 2 6->15         started        19 RFQ specification..exe 6->19         started        21 vlc.exe 11->21         started        23 vlc.exe 2 13->23         started        file5 signatures6 process7 dnsIp8 33 mail.sbrenind.com 15->33 35 sbrenind.com 192.40.115.79, 26, 49706, 49711 IHNETUS United States 15->35 41 3 other IPs or domains 15->41 47 Tries to steal Mail credentials (via file access) 15->47 37 mail.sbrenind.com 21->37 43 2 other IPs or domains 21->43 49 Tries to harvest and steal browser information (history, passwords, etc) 21->49 39 mail.sbrenind.com 23->39 45 4 other IPs or domains 23->45 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e630c1d94550061dccd1da06e50b378915870ce4630d646696e9b62fc1e9a8ff/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 02:48:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yymdwkfkadb3tgr3idokczxrekyodhemmgwizuw5g3c7qpjvd7q._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2fea8f7c727460dfd943dce7f9bb051f188f37a0150a132039a1892f18749ff3
MassLogger
5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99
MassLogger
84ff047bcfc4af6e249a5b466477d1b72cf261fc5a40752a62a149158118224e
MassLogger
87846ad003a6ae72132bc3771c9179a5d9ed1857eca281fd53bab57ff6e93de1
MassLogger
a2b0e9c1ea03a3a538fe9ef7f8e6dbf4c08feba8560e238e29fce0dd2f2e144b
MassLogger
c7573f0e33614200aabd85a18762922a3911f96f27f14829b3a36e325aed2d03
MassLogger
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
MassLogger
d40978f6bcf9982f5d3147ce9717eb72435068525b91cad816cafd7cb4711bbf
MassLogger
d6b834570825a606942ff096f5ad3df33f58082be5a68bab447bc9af4b114e95
MassLogger
fb48e485512f92d6e899abf4f0377868c800e069c516c03c414e73ddd584d008
MassLogger
+ 419 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201102-d3nzpg7ahn/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
e630c1d94550061dccd1da06e50b378915870ce4630d646696e9b62fc1e9a8ff
MD5 hash:
edbfd9460c7271e1df6cf2c9d18130d4
SHA1 hash:
2598cc33422507fbc3e913ea9f612ac39e0ea1a6
Link:
https://www.unpac.me/results/c4ad0698-1ad6-4de7-a1e8-aeddfcc88980/
SH256 hash:
1749b59b47be03aa816409ba749d652021139de3c53105fc9e19a44ba5dbdc72
MD5 hash:
ee4560e7502b92e56dd7adf36da52064
SHA1 hash:
9f94a1f7f97b9d7f703ac720cd23ff25cd1ef65e
Link:
https://www.unpac.me/results/c4ad0698-1ad6-4de7-a1e8-aeddfcc88980/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/c4ad0698-1ad6-4de7-a1e8-aeddfcc88980/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e630c1d94550061dccd1da06e50b378915870ce4630d646696e9b62fc1e9a8ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/81813/

Comments