MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f
SHA3-384 hash: e4da3e3009702869b75e88ea15935e55ec3caaa688544d814e2abb30c7d7aa3a5bf0c8ec1e11b0eb2f847fdf754e40e6
SHA1 hash: acdae484c8e11ac973860b17d408f102f1f7ac30
MD5 hash: 2d507b5e2fd52bec7caa8081957a6851
humanhash: mirror-bakerloo-saturn-summer
File name:CsdMVmZguofylUZ.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'391'616 bytes
First seen:2020-07-17 05:27:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:CTL8Zz2k4zULeZn1yMKzbIxQICTZrH/lcx/fV6LPvUAX4E1AfzXu7iUz1KoLq363:W8Z0BYMaIpC7ytATcfTGpiCm9hgEg
Threatray 7'743 similar samples on MalwareBazaar
TLSH 9155E0D83590B99EC80E8D764950DC30A6207D22F6FBD147A3C36E9F793D697DE402A2
Reporter JAMESWT_WT
Tags:MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27193/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.28261.10636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388920
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 22:06:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vwx2uqchy5d3upwwlbnymnrdjij2ylvzijykrm3zqopjjt4tqxq._file
Verdict:
malicious
Similar samples:
10c341f03698c730a4591d844c0d563f19e4a6b87934b45ff0447bd57808bb32
MassLogger
1146e4d995c67932f70852ddd73410efbf0ecfbe227fa9834ec7dfea12cb6097
MassLogger
12c7ff58c14c67fa84752c1b136860c7c621ccf8cd947183f6b1c918b4c8c737
MassLogger
1b59de7a97df74d5e59c0f02697e9ae4e9391a01998de6baf4c937bdf2f678f5
MassLogger
5580e34f50f932f27c42e1d2b8551aaed212321a4a519442ee38dadb61ecd7f9
MassLogger
9c33a1f6a337e39a99c4480f19e63fbaeee191defcd51c8a908e9af9da8e115c
MassLogger
baa5321e840dcceec831ecdfdae4d19b166c1083e6b61dc0ab24d559683e1c51
MassLogger
d7269fff7321b7254a2a6ce7e6fb9b8347d73cb78597d73412b8d21344832e81
MassLogger
f8bfe504676559b37494dd204efc4974a7a08f2abafdbee5a8e75bc6df16e5d5
MassLogger
fe6e78fc04cc85915c056447a608233c7094caf911cc8de0e0491184cdaf056b
MassLogger
+ 7'733 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200717-vzaahflnw2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe f56d7d52023e3a3dd1f6b2c2dc31b11a509d6175ca1385459bcc1cf4a67c9c2f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/413820/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27193/

Comments