MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1
SHA3-384 hash: 3d5822b3f618eeb7ddd1979456c2d359cf4ad89081cf915256df9c7d74bad4fb4655e4944930b4e207033a8fd8175202
SHA1 hash: 1b71449f295eae0994f4d62de838b1af168c0a09
MD5 hash: 2cb0cf48d5eafbd16bbf8cdda749d628
humanhash: quiet-solar-delta-venus
File name:TIRNAK.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:30'664 bytes
First seen:2020-12-15 12:18:06 UTC
Last seen:2020-12-21 09:13:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:S9LkmTgKSZjPVbkTyMGzqAPcr4a2YOaaC8WyRtqyUf2hg:S9LkmTgKoNbkTyM/7r4yOaahWMtqyUfT
Threatray 589 similar samples on MalwareBazaar
TLSH AFD2D659131CBF42FA97873432078163AB417BA673BF4BB1E431175ED4916806BA7A83
Reporter cocaman
Tags:exe MassLogger

Code Signing Certificate

Organisation:Caddbbcff
Issuer:Caddbbcff
Algorithm:sha256WithRSAEncryption
Valid from:Dec 15 05:31:42 2020 GMT
Valid to:Dec 15 05:31:42 2021 GMT
Serial number: 88BC60F61C04CB7FC4114703FA3173F9
Thumbprint Algorithm:SHA256
Thumbprint: 11FE8639FB3B8A8B5C18215DCD291B2AE71C37B748470D2A9E6FD170B95AE57A
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
11
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TIRNAK.exe
Verdict:
Malicious activity
Analysis date:
2020-12-15 12:18:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9bd6b0b6-e043-46d5-83e5-68ca3fb73443

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.105.3573.30220.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Deleting of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/563153
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 330662 Sample: TIRNAK.exe Startdate: 15/12/2020 Architecture: WINDOWS Score: 100 68 mail.porathacorp.com 2->68 70 porathacorp.com 2->70 72 3 other IPs or domains 2->72 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected MassLogger RAT 2->96 98 7 other signatures 2->98 9 TIRNAK.exe 18 6 2->9         started        14 TIRNAK.exe 2->14         started        16 TIRNAK.exe 3 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 86 hastebin.com 172.67.143.180, 443, 49743 CLOUDFLARENETUS United States 9->86 88 192.168.2.1 unknown unknown 9->88 62 C:\Users\user\AppData\Roaming\...\TIRNAK.exe, PE32 9->62 dropped 64 C:\Users\user\...\TIRNAK.exe:Zone.Identifier, ASCII 9->64 dropped 66 C:\Users\user\AppData\...\TIRNAK.exe.log, ASCII 9->66 dropped 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->106 108 Creates an undocumented autostart registry key 9->108 110 Drops PE files to the startup folder 9->110 20 TIRNAK.exe 2 9->20         started        24 cmd.exe 1 9->24         started        112 Creates autostart registry keys with suspicious names 14->112 114 Creates multiple autostart registry keys 14->114 26 cmd.exe 14->26         started        90 104.24.127.89, 443, 49753, 49755 CLOUDFLARENETUS United States 16->90 28 TIRNAK.exe 16->28         started        30 cmd.exe 1 16->30         started        32 TIRNAK.exe 16->32         started        116 Injects a PE file into a foreign processes 18->116 34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        38 2 other processes 18->38 file6 signatures7 process8 dnsIp9 74 mail.porathacorp.com 20->74 76 porathacorp.com 103.6.196.138, 49756, 49777, 49779 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 20->76 84 3 other IPs or domains 20->84 100 Tries to steal Mail credentials (via file access) 20->100 102 Adds a directory exclusion to Windows Defender 20->102 40 powershell.exe 20->40         started        42 powershell.exe 20->42         started        44 conhost.exe 24->44         started        46 timeout.exe 1 24->46         started        48 conhost.exe 26->48         started        78 mail.porathacorp.com 28->78 80 nagano-19599.herokussl.com 28->80 82 api.ipify.org 28->82 104 Tries to harvest and steal browser information (history, passwords, etc) 28->104 50 2 other processes 30->50 52 2 other processes 34->52 54 2 other processes 36->54 56 2 other processes 38->56 signatures10 process11 process12 58 conhost.exe 40->58         started        60 conhost.exe 42->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 07:24:57 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5flvvwxc7jvpw24nr6yjr7xmtvfmxlnl3jf65suqim5vpdgwv6qq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0a6447ca302af67b351842f078f0462cf33c95d587da76e220322cd9bd9803a3
MassLogger
265c93af05ea076407228de4cdfecc5e4052273610d35021afd1d0e72c81bb92
MassLogger
310f5815e8e68ccdf1d75985e8fbbe6b3b9a6997155505d97066d75c6ab9ced7
MassLogger
5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc
MassLogger
6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95
MassLogger
78a59829f0dd9b3ec88a68096284de67dd8806d3690d11f017f7b2893a98354d
MassLogger
b4c677c568152f925904f613d1361015ea9a07d105874411dc7962f57ebd7412
MassLogger
cc8e79ce79d0078b6483062f8fc8d187f5fdcf92c9f51db25551a19d22af0a87
MassLogger
e39ed8bfee05ab6d964885748f4800bf955b47b59002213e34e5b9d331882b98
MassLogger
f83ad58372165b89222b164f3da6a0b4edad02409d13df77e713ad860a6489e4
MassLogger
+ 579 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201215-9k9yn8545x/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Drops startup file
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1
MD5 hash:
2cb0cf48d5eafbd16bbf8cdda749d628
SHA1 hash:
1b71449f295eae0994f4d62de838b1af168c0a09
Link:
https://www.unpac.me/results/f2f43305-9168-40ac-b48b-5f6fd3351f8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 587f41bd4278f8356d8750860b84687d85f44ec808055613dc47fe2afef454ae

MassLogger

Executable exe e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 587f41bd4278f8356d8750860b84687d85f44ec808055613dc47fe2afef454ae

Comments