MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e88ad7550181bf69efc96480a3b95ed329b47b60c9cb8b92720d0bfffcee6142. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	e88ad7550181bf69efc96480a3b95ed329b47b60c9cb8b92720d0bfffcee6142
SHA3-384 hash:	85038133a3f862770cba017613fd4d94a981e8ffd0f9eb9d77306dbf33b44ba70d39612153d91e5a4a4551fe32fa690c
SHA1 hash:	02e41f3f30a3170fb550531f0e44549b438da167
MD5 hash:	fe5d754fe03c68873fc971ad021430fa
humanhash:	queen-golf-nitrogen-robert
File name:	RFQ.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	905'216 bytes
First seen:	2020-10-19 06:35:34 UTC
Last seen:	2020-10-19 08:23:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:C9A1GKZHNYPzodK5vBV7v0VEZn0tXcEBvINOZjrb/AtqlCGW/L6qvDzNwZbSe:WA1GUKzodKvX7nYXcEamzkqQLxzyZh
Threatray	362 similar samples on MalwareBazaar
TLSH	19150240F189EBB1DA3D47F6322E8D1843B21CAE53A1D5AC29DE77E05973B414E1AC1B
Reporter	abuse_ch
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.Nanocore.23.4661.26639.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Setting a global event handler for the keyboard

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/494923

Signature

Adds a directory exclusion to Windows Defender

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e88ad7550181bf69efc96480a3b95ed329b47b60c9cb8b92720d0bfffcee6142/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2020-10-18 21:40:08 UTC

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5cfnovibqg7wt36jmsakhok62mu3i63azhfyxetsbuf777homfba._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

35d0f7752b58898566762e5983987073ad1d6be30cfdd9a977f92cd14f48ab7c

MassLogger

50f48263f394b95976bbacb198facd4a274f820f92ecf624a228251359627a93

MassLogger

7428f5ccb3fa2d0ba8b295efd15c9acc87674180aa1d3bf71e8b91cd0a038381

MassLogger

8b1e278db9ecbeda3510a251e207576256e5cfe3171becac7c8b5758f2ca3a9a

MassLogger

a035d5260c69f4a7e3252afcd7066f77fc9da0461e2d21f1ec1807dec4c6045f

MassLogger

b49f4c0a41fe65d3e81919eae65adb01d493e08331e0e3652b30655d55170d52

MassLogger

b71afd9d9ddfed028e4235476c6392f1a6d2bbee4c4263c61afcbb1ba1a2b2c5

MassLogger

bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d

MassLogger

cc566277bb275dde9c670ecd2d89c9d3a0e3b22cb8aa28b4d564d4b8232bbc7e

MassLogger

+ 352 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger

Link:

https://tria.ge/reports/201019-ypy3qngamx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/8c20c476-9980-4e45-83b9-706518677729/

SH256 hash:

209dd282471e7e9b0b9579e3b45bde6aeafe27fd5cd944b934c195b9baa98e8b

MD5 hash:

1472cfa6d351d7b4f2044bc229ca1569

SHA1 hash:

6bd0bdd54ca3dce9ac6c41204f3880d4388403ff

Link:

https://www.unpac.me/results/8c20c476-9980-4e45-83b9-706518677729/

SH256 hash:

3fbf00f25e41e3c47fee2b636dbc9f0438905cbef90b96644a241ff0bf72bde9

MD5 hash:

121e49b7a8aace94edf65b314dd071c0

SHA1 hash:

f6a46a70f199293063bf0a610580f68e30038895

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/8c20c476-9980-4e45-83b9-706518677729/

Parent samples :

ad17d05d9bf7bb701bee55b078a0608a038e44a3c1c24b06b3eea34bfcdb280c
2d9767641256c44bceb6d6c684e76d72245750d1174408ef34e5d35185d4cadb
f933824c34258a344750486cb998d303aba7dcaad0dec1e12ea59929b3703dd3
e88ad7550181bf69efc96480a3b95ed329b47b60c9cb8b92720d0bfffcee6142
97f116dcd4a161a4265ccaf07dc12acec0e3e4a3af4216ba95f5f63c80a06fcd
4d4579f75cc3cb0a8c30ee234275dbb119dce187b4a490dff954d405caeeeb66
830a35f0de3ba2f90f79bca1d31b28026305edc8c25bc370ba90a9e8ef893b11
30920f99abe5eed123d3da56f24aca831bcc33e8e91548ef4bb3bc265f412fc2

SH256 hash:

e88ad7550181bf69efc96480a3b95ed329b47b60c9cb8b92720d0bfffcee6142

MD5 hash:

fe5d754fe03c68873fc971ad021430fa

SHA1 hash:

02e41f3f30a3170fb550531f0e44549b438da167

Link:

https://www.unpac.me/results/8c20c476-9980-4e45-83b9-706518677729/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e88ad7550181bf69efc96480a3b95ed329b47b60c9cb8b92720d0bfffcee6142

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe e88ad7550181bf69efc96480a3b95ed329b47b60c9cb8b92720d0bfffcee6142

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/72744/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample