MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bc730f8804a7ca3bb1ce3ef623dd0589d5813086d950b9173c8294293070a16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bc730f8804a7ca3bb1ce3ef623dd0589d5813086d950b9173c8294293070a16
SHA3-384 hash: 67e9b4436b99ec443d7d2317e8bafda44d983b3d40739b43bb697a782b7e88af58bb60e2d367c720b85775240ec346d6
SHA1 hash: 892f876ed5d68526b5185b3cc3153889c99aa2b1
MD5 hash: 71694f42726ab57ce7c069b6566683dc
humanhash: bakerloo-london-romeo-hamper
File name:Booking (Ref DF000083-JJ).exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'286'128 bytes
First seen:2020-06-04 06:21:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:+fIbPriX0oycBEeacSORYizsRcFzu7gltAyUew:+f4Gl1SORY8sSzu7bLew
Threatray 1'971 similar samples on MalwareBazaar
TLSH B155ABB13E1B2857C5BE43F13441A1031FEC9CDD29A5D39958B1BABA0EF678C4A90673
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: apollo.t.mk
Sending IP: 195.26.152.35
From: donatela@t.mk <donatela@t.mk>
Subject: BOOKING
Attachment: B-Booking Ref DF000083-JJ.cab (contains "Booking (Ref DF000083-JJ).exe")

MassLogget SMTP exfil server:
mail.radiomeff.mk:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 06:54:00 UTC
AV detection:
17 of 31 (54.84%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpdtb6eajj6khoy44pxwepoqlcovqeyinwkqxeltzauufeyhbila._file
Verdict:
malicious
Similar samples:
069d2f448360c3c787e0310fa3d07f7d5c7c97e805a7703a20ac798257848667
MassLogger
06b9b90d74acfd8c35fbaf0222ec3ff32b77865dac31d44dfead2885cb330500
MassLogger
2488817fd7589194d1a7781f8975be361c8153177af6f79c9c5b06960810f05c
MassLogger
36bb4745d0a342a57dbd7c668aed07e956ff166df4864e21b0770e790f734acc
MassLogger
5122e63f0171e3c0ec53cb95092b5652630abb8c1f23186ed1afb61cfeea3d40
MassLogger
57f1c863e4e30e3daf8c2615372fc1961ec72e92de7b6eab13b08f25656d1530
MassLogger
82d32f5841ba04262e4b1a15d798cfbd69a4bc9ebd37caf3573818e7a2140639
MassLogger
898abdb2d9de0344e5b43ac7e4330faeb03d97aa0a3c37e0a37da0ed4d732e9b
MassLogger
9a813db555b2a251a1068f50b1b02d642bb570337058f7f3a7028cafccbe1f54
MassLogger
f0f7f9f3d293065a8554c6b9e4757bf511dd3577636ca1a075e0afd206250e5e
MassLogger
+ 1'961 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger ransomware rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-mrc3fnbqwe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
rezer0
MassLogger
MassLogger Main Payload
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 409af498846982f25eb7faecf8370836ab30f41996e7cb19eae7e6c07ad38c9a

MassLogger

Executable exe 0bc730f8804a7ca3bb1ce3ef623dd0589d5813086d950b9173c8294293070a16

(this sample)

  
Dropped by
MD5 33bb270625e352bced5aa03deaa59629
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 409af498846982f25eb7faecf8370836ab30f41996e7cb19eae7e6c07ad38c9a

Comments