MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee880952ee58fc84d182465b247a4b01e876ff1186cc4ae16ffb94ef44b45700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee880952ee58fc84d182465b247a4b01e876ff1186cc4ae16ffb94ef44b45700
SHA3-384 hash: 64a15ebaf9aea5feb76807a9e3f7980f4c8f95992d13f57cec4764c60865cec46ecc189e3c356a74cb4bad0d69d49c5d
SHA1 hash: e744481c34c5792b6199821f50da13a2c375c719
MD5 hash: 9819aa4a5a3ac2bc168c60bab29b6874
humanhash: whiskey-harry-monkey-fix
File name:KINO.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:863'744 bytes
First seen:2020-09-25 16:21:54 UTC
Last seen:2020-09-25 16:38:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:dUMTlbfO1RIv9SwceTkTu5JUHDsJmWUcRc:dzlbO1RIVcGt5JUDc
Threatray 607 similar samples on MalwareBazaar
TLSH A705011466E88B25E2FE57B8D07D0C14C7F3AA13C621EE8EFC9910B91B6BB61C512753
Reporter James_inthe_box
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.437.14260.14540.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475371
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee880952ee58fc84d182465b247a4b01e876ff1186cc4ae16ffb94ef44b45700/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 10:23:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=52easuxold6ijumciznsi6slahuhn7yrq3gevylp7oko6rfuk4aa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
16d026f0d1866dc8e6cc6ae6d3db171c7b339b9bbdde6fb28d0ee6de633d71b3
MassLogger
1eaff8168df5df270c3d844483f5b9b93075c1e0d6a8a5bc8e733d2c039a1fdb
MassLogger
391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61
MassLogger
5de3a91f516ff756b450155641e354aebc48ff4701721dde73ef1960bf955b94
MassLogger
8ca10b0fcde48ff00c9218062eb8aefe2a9d3ddc5e240a9da4a2e7764cbfff90
MassLogger
b6425efa950d3d45e01f94cf2ea732148a6454a9ebd8b253d18e6f08ebc724e8
MassLogger
da41f5d16a81585d67bb46beaffb4b5206601ec135a98e427dea347f3896f095
MassLogger
f94e93ad699e6c297288e50a6661e7e39105b6257af8dc7b0f9a1fd99a09bc03
MassLogger
fd8588b03212cad1e0f819f8ae68aee09c111f41821494eb4be0cd862b523454
MassLogger
fed11233078cad87ccd876c50e08453d3be0f8582e939d2c8890821c7819e86d
MassLogger
+ 597 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200925-ttrzj8akts/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Unpacked files
SH256 hash:
ee880952ee58fc84d182465b247a4b01e876ff1186cc4ae16ffb94ef44b45700
MD5 hash:
9819aa4a5a3ac2bc168c60bab29b6874
SHA1 hash:
e744481c34c5792b6199821f50da13a2c375c719
Link:
https://www.unpac.me/results/59b9411b-e2a7-4db7-8eae-36efa2b28ab0/
SH256 hash:
a33c7aeccc947386f31180982ead1e0367e51ba2f73415ddc567555573fa1238
MD5 hash:
ffb919de8cb9e6936f97dee86f21b83e
SHA1 hash:
179d91f90e0db9ceba52deea9b6bef7ad3d160ba
Link:
https://www.unpac.me/results/59b9411b-e2a7-4db7-8eae-36efa2b28ab0/
SH256 hash:
3ffc4f0acd61ba8fa6157f930b2c9624dcd4764d85ba953ecb6ca3df99bb8d51
MD5 hash:
5851411659e6fe95ebef52f9c00f5dad
SHA1 hash:
2ba20d3ec204ece4b2f5053e5eb6ec15856f96ed
Link:
https://www.unpac.me/results/59b9411b-e2a7-4db7-8eae-36efa2b28ab0/
SH256 hash:
785261875049471f6432827571071af39fdb06ec0a223224c12792201a9f66e5
MD5 hash:
e41b095949e16c551511c80acfc18ac2
SHA1 hash:
c1c9299481d8604297151f48ac8c790c9e920504
Link:
https://www.unpac.me/results/59b9411b-e2a7-4db7-8eae-36efa2b28ab0/
SH256 hash:
8cb46c6ed62c3dcd8d5ff9ecb455843e72ceb7c72110b172ff4e6ac4d9451a34
MD5 hash:
8d77899cb399dc4c91eddb605eebbd3a
SHA1 hash:
f18f33cbc670c26fb78869326cee6e2ec6c69505
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/59b9411b-e2a7-4db7-8eae-36efa2b28ab0/
Parent samples :
ee880952ee58fc84d182465b247a4b01e876ff1186cc4ae16ffb94ef44b45700
2f61047689118e21626c8cf55f4400cb7e65bf68684f326609252eb070bfd887
1d6159b26b3bf4e080949b2bb754b3f095b24a084e9d1693f598970cebcf754c
4628c89109f5af8e4e6522f56ddb77abafd801fd38a48d61240987586b4b7dc8
619ae9f6605a4c01851999c358172385764b50bb32abbe80f2d3ed341807c137
7bed2f09d2796f9c8f437f20e993e119d871c364895bec22192d754ee83dc30f
6938bb5b3bd1c8666fef0c03e06d654752a1678888eab3946d7d46afa5f4be80
0ad81d618eb99e9e2e3d820cb7f2ff603bfc3395b74e26cad39a200c93942cd5
SH256 hash:
a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1
MD5 hash:
7c359500407dd393a276010ab778d5af
SHA1 hash:
4d63d669b73acaca3fc62ec263589acaaea91c0b
Link:
https://www.unpac.me/results/59b9411b-e2a7-4db7-8eae-36efa2b28ab0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Starter
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee880952ee58fc84d182465b247a4b01e876ff1186cc4ae16ffb94ef44b45700

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/65902/
  
URLhaus
https://urlhaus.abuse.ch/url/410810/

Comments