MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e64ff6e23ce8911e74ee402d2cc1ed3d54998a56a6fb272b50c5a87363975305. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	e64ff6e23ce8911e74ee402d2cc1ed3d54998a56a6fb272b50c5a87363975305
SHA3-384 hash:	7a4068cdac5d042da59a81d6ce39beb8f2c6e021985be7aa8bbc2ef01efbf18b4f298fe62af1f5cf6cc2dbda27a08386
SHA1 hash:	51a65b71f953c3e988f0a4a2d4e69ea6ca8b2b8f
MD5 hash:	f32cbfaecc2e973799c7e8977a23fbc1
humanhash:	undress-skylark-equal-vermont
File name:	InstallUtil.bin
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	525'824 bytes
First seen:	2020-10-01 15:03:23 UTC
Last seen:	2020-10-06 11:29:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:DZ8M7gu9seB5mV+mMBYJf0hdrK8BnbPZl/xld44ILZn7EqhZ:DWM7gu9seB8gzBjde8BjZl/xTlIx
Threatray	252 similar samples on MalwareBazaar
TLSH	45B4AF25BF61CA31C76D437AD1C75E2483B4C45395E6F749398C2AC909033AA8E877EB
Reporter	Arkbird_SOLG
Tags:	.NET MassLogger

ArkbirdDevil

DLL loader for extract the ZIP which content masslogger stealer. Used on the Italian campaign by the same TA since end September 2020.

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

Win.Packed.Razy-9769683-0

Win.Trojan.Miner-9769768-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Adding an access-denied ACE

Reading critical registry keys

Creating a file

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/479480

Signature

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Deletes itself after installation

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e64ff6e23ce8911e74ee402d2cc1ed3d54998a56a6fb272b50c5a87363975305/

Threat name:

ByteCode-MSIL.Trojan.BMassKeyLogger

Status:

Malicious

First seen:

2020-10-01 15:05:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4zh7nyr45cir45hoiawszqpnhvkjtcswu35sok2qywuhgy4xkmcq._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95

MassLogger

7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5

MassLogger

9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

MassLogger

9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d

MassLogger

b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f

MassLogger

e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0

MassLogger

ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d

MassLogger

f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45

MassLogger

fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25

MassLogger

+ 242 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201001-zdlvedve4a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

e64ff6e23ce8911e74ee402d2cc1ed3d54998a56a6fb272b50c5a87363975305

MD5 hash:

f32cbfaecc2e973799c7e8977a23fbc1

SHA1 hash:

51a65b71f953c3e988f0a4a2d4e69ea6ca8b2b8f

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/55233850-9c43-4e44-b2f5-690f9d324d4d/

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e64ff6e23ce8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

MassLogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e64ff6e23ce8911e74ee402d2cc1ed3d54998a56a6fb272b50c5a87363975305

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf