MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 059813164c50fcec84c7ff9102154104f870603b59c1226d07d2ae2790c8f4cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 059813164c50fcec84c7ff9102154104f870603b59c1226d07d2ae2790c8f4cd
SHA3-384 hash: 945294057e4348491a7b299616d901cc69e9391874fe44f30520328069273fef079a16e6d8d32fbfd631cfcc712a9039
SHA1 hash: e20d2879077d303bcb77788694db24d5c1546f0d
MD5 hash: 4206b71a2ccf2d8ce65d60715626fbff
humanhash: mountain-magazine-alpha-eleven
File name:RFQ.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'083'392 bytes
First seen:2020-06-09 05:48:40 UTC
Last seen:2020-06-09 13:30:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:EKKxv68+ZwNvuC1FCeGzPI0j5yZJZivlXiszX:Ixv/+ZUuICewj5MHio0X
Threatray 556 similar samples on MalwareBazaar
TLSH 413512013340E625C9AD82B5D6A61174C3AA5C837F70D6096927729AAFF3F50BF04EDD
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

From: hr@mehargroup.in
Subject: RFQ
Attachment: RFQ.gz (contains "RFQ.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WGF.8296.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Spyware.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 01:29:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=awmbgfsmkd6ozbgh76iqefkbat4hayb3lhase3ih2kxcpegi6tgq._file
Verdict:
malicious
Similar samples:
6299f3e36dc84d0d1aa0b460cfe353d8460f8aae5b13aa75aab9d8ea2efc1a7a
MassLogger
64a0f19845c2724ec1e75467da1f1cab42ef3a78914171af40a0c4c8f798a9fd
MassLogger
740937dc2e4ce55ffde8c557976b25715c76db9ee3d7dd0e8f866983575c8621
MassLogger
8c3156c901bae62d20fce1aa07a4c0e0252ac6ab6443877396a37f83441f2b65
MassLogger
9336f77019f21d2e8e512509c4c246925c6b3cf96d03ac45f080bbc330055d7b
MassLogger
d2827b9a0edb006fbb6ade9f63d0948515ace0f6199a5a59725b8279eed54f25
MassLogger
e337cef021313425e1bb071d32482f61722d1980e8bb0d2deac6c2cd1f7bce55
MassLogger
e772c14876f251ad71aa44567a90859fef8979860f44c77981d537fca37e7400
MassLogger
f1542701299aa44f2329dde6c86e571ebd11566aec5700ae5dd48c283d7ef6ac
MassLogger
f98d355a4771e886220488b0bffa005af9769480cde5aad275d4166c2f9b2e48
MassLogger
+ 546 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger ransomware rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-qyfr9pj33a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
ServiceHost packer
rezer0
MassLogger
MassLogger Main Payload
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz 3a56dc8f555f5089342a75860f3cf5196c9ce7c3b9ccf99542f89d5d9085f928

MassLogger

Executable exe 059813164c50fcec84c7ff9102154104f870603b59c1226d07d2ae2790c8f4cd

(this sample)

  
Dropped by
MD5 b48f898ee5b851e5825d0400a7a5f764
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3a56dc8f555f5089342a75860f3cf5196c9ce7c3b9ccf99542f89d5d9085f928

Comments