MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f712e3d1f64a9b4c8847f9f0c624615cc0faea60e052e186da1ab965cb49569b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f712e3d1f64a9b4c8847f9f0c624615cc0faea60e052e186da1ab965cb49569b
SHA3-384 hash: 7eb0636ebf05839f4067369968ac432bd29fb842f3b10a6823c49698931039e791536b77de73b49105c2e55b8f3127a2
SHA1 hash: 57d55a1c7f53bf75419ba1dd146624e34c758ac7
MD5 hash: 90eca18d859edf1932af42c59de1d470
humanhash: romeo-bluebird-ink-georgia
File name:90eca18d859edf1932af42c59de1d470.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'249'792 bytes
First seen:2020-08-06 08:20:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:+IYxPeC04rOkLlhomyh/ucvJGRFqGQ3h3eKA3mZlgV:+IPC3rOyqmyxuOJLVA3mjgV
Threatray 698 similar samples on MalwareBazaar
TLSH A645E0D6E4408E50DC294A3B8C3389924B33AC6FEF425606349CB6557BF31DA6A75F83
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
MassLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40401/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.48221.30836.3970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412643
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f712e3d1f64a9b4c8847f9f0c624615cc0faea60e052e186da1ab965cb49569b/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 08:21:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=64johupwjknuzcch7hymmjdbltapv2ta4bjodbw2dk4wls2jk2nq._file
Verdict:
unknown
Similar samples:
065011f5098f869c79ff098a104765fa08050cfef16bac98b0944108de1ebee4
MassLogger
0b0537b9f976c4a49f1105bc03d252c0cac7a99b9abdb1a020d2966b6a0b1285
MassLogger
0fd0591e79669d6016acff95109efd434cc39498d83f4ebdaac67c96091e4fa9
MassLogger
2aa941b7340367ad780683ac45b75f8e63b4df7913b4ca6f95e794fd75b36b03
MassLogger
4c8728146976e30a09321d1e158aeeb46908c54fa8614ccef7fbc9761956eca4
MassLogger
6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b
MassLogger
7a844a73345acfd4a047d76088829ba790ae67a7d3a3527feecb290c6dbfc3bd
MassLogger
7cfa62ab7a592f04b4268ad35e2a90739666f9d5e91eaa5808dd8ba11239f43d
MassLogger
bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f
MassLogger
e5caa150b119335b8b2fe8c999f8e801c1e74b010ceb58b794804ea6b4b07c61
MassLogger
+ 688 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200806-rmyxy57p2n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f712e3d1f64a9b4c8847f9f0c624615cc0faea60e052e186da1ab965cb49569b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe f712e3d1f64a9b4c8847f9f0c624615cc0faea60e052e186da1ab965cb49569b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/426026/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/40401/

Comments