MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c1d8cac8cfb4595fecf65abe0a296e1c9d4fab6be41a2d33e1c615144e5c7a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c1d8cac8cfb4595fecf65abe0a296e1c9d4fab6be41a2d33e1c615144e5c7a0
SHA3-384 hash: 73327802ae73134408343980d5a7e99f36d85850e2e6e585c828852b4a3c71ac1f7d3f71dbc95e8bb72012de2fb31e3d
SHA1 hash: f2923c2e1832a3c6047a3b530e440727c27eb9df
MD5 hash: cccc9c91c9de92bd1cac10b7bf9fce8a
humanhash: music-skylark-three-steak
File name:yeni siparis.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'227'776 bytes
First seen:2020-07-20 12:17:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 947a363cee796918c4dd5f0352950426 (5 x AgentTesla, 5 x Loki, 5 x MassLogger)
ssdeep 24576:Za8voVOIObYfZoEOqUM6uWAHlFh+A0jf3g6qw5P:Zvo6IZoQHln1Cf31
Threatray 2'864 similar samples on MalwareBazaar
TLSH 5245E127F2E04877C1772A7C8D1BA668A836BD003D2C99756FE75C4CDF3A64034A52A7
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: dbschenkerarkas.com.tr
Sending IP: 156.96.58.85
From: sefa.kaya@dbschenkerarkas.com.tr
Subject: yeni sipariş
Attachment: yeni siparis.r00 (contains "yeni siparis.exe")

MassLogger SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Win32.Herz.B.10949.1876.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading Telegram data
Creating a file
Reading critical registry keys
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Deleting a recently created file
Setting a global event handler for the keyboard
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c1d8cac8cfb4595fecf65abe0a296e1c9d4fab6be41a2d33e1c615144e5c7a0/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 12:19:09 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqoyzlem7nczl7wpmwv6biuw4he5j6vwxza2fuz6drqvcrhfy6qa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0f070e347f19a989c9e25c593ee45aa340020b3b8d16afd20e187e446cfd3139
MassLogger
1e62a268e2511720e6cbf0f77780e3147ca2d060d75118d5e0984e3059593829
MassLogger
5eb03557bea836689fd85bc82912388cce5771e2f85696c82357462534c1d3c6
MassLogger
75a6581d60198c4910011fdb2c732679635b35ed28db20f9d3483c89efb26db6
MassLogger
c4284c413395930a3ca9561d55045bb40c5d14d8c70e44f4f7a9b944ef34935c
MassLogger
c6623c1d81defbb2f39224fad80aa071b99b3d08788f6cd400e9c43f9c324b0b
MassLogger
e26473e8992749658b9c141351cc04808187e45a81bd502b259371e2c17d0cb9
MassLogger
e47d2283c026db3c1d24b547699e99b6306c795616e2d13eb107de9a6eb938ad
MassLogger
e69ef837a837058a9717c85c8bf58e7289f5d083ff7be84d79f52113d661bc21
MassLogger
ea7d1d4d1756342dc5d5fd0d0bb7c68499b0c06623a005e66903d2262f4fcb39
MassLogger
+ 2'854 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware upx spyware stealer family:masslogger
Link:
https://tria.ge/reports/200720-amjd3jzjdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
UPX packed file
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/0c1d8cac8cfb4595fecf65abe0a296e1c9d4fab6be41a2d33e1c615144e5c7a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 de28259ba502c620dd91f7ce92467c230f718f3993a5e87601a9d2bb1a7c92b5

MassLogger

Executable exe 0c1d8cac8cfb4595fecf65abe0a296e1c9d4fab6be41a2d33e1c615144e5c7a0

(this sample)

  
Dropped by
MD5 c8439bbf46324a14c829ca63d07c619f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29100/
  
Dropped by
SHA256 de28259ba502c620dd91f7ce92467c230f718f3993a5e87601a9d2bb1a7c92b5

Comments