MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10eead56b5d7413b12b1fd1a4bf63dba2fa8995dad47d9a29577efd98264247a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	10eead56b5d7413b12b1fd1a4bf63dba2fa8995dad47d9a29577efd98264247a
SHA3-384 hash:	dd3c6ee8f43ad06fdddfd8b77e803fc89e39d9da54a51bc0fe7f1013041851d5c2956d5ffaded42b825d1394de780fb0
SHA1 hash:	a088d4600b3c9573c92968e412c973a2981708d6
MD5 hash:	beb1f7f7ae08c302d5df6aece0ca2146
humanhash:	butter-low-spring-juliet
File name:	21-7 air 선적건 AWB 첨부해 드립니다.pdf.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	972'800 bytes
First seen:	2020-07-21 07:35:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:rpIt28oFHNUy2lcgkDsu1tK6/XeCHGnGhvnIBvyZdwc3NC5HumpgHw2k:rA4toeg2s2tbanYnIB6Zd13XHF
Threatray	580 similar samples on MalwareBazaar
TLSH	5825DF50D7F88AC9E7BA57BDE460000087B0B91AA7EAE7491B95F4ED1C22351CB43F67
Reporter	abuse_ch
Tags:	DHL exe geo KOR MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: smtp1.hiworks.co.kr
Sending IP: 121.254.168.204
From: md.kim@dhl.com <gksejr51@asialand.co.kr>
Subject: FW: AWB INVOICE. KOREA->DHL BY AIR (ETA 7/21) - From ACFM KOREA company
Attachment: DHLYour Attached Package Document for ARRIVAL.pdf.zip (contains "21-7 air 선적건 AWB 첨부해 드립니다.pdf.exe")

MassLogger SMTP exfil server:
smtp.brainchildglobal.com:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29809/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% subdirectories

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/392741

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/10eead56b5d7413b12b1fd1a4bf63dba2fa8995dad47d9a29577efd98264247a/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-07-21 07:37:07 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cdxk2vvv25atwevr7unex5r5xix2rgk5vvd5tiuvo7x5tateer5a._file

Verdict:

malicious

Similar samples:

218ab0970b729fe790515e64e9eab88b22893c7cac5594bd6d81b16e2245dcb4

5415e279ac5674de2c5ff76fac550a2588d156b59888c207f48bf81da76729b8

5c5408db84b06949b9aae7b528ad603bf17615ceac0aba3cd79cc92ed77b8163

7d95d648a3a6f221f5b9833c631e3a009454a0209666b717e091bf1886c995a2

8707af08ec5c7b76ea40346f7b62861080f534fc2438a30cda18260563a7c16e

9bd6661010ba5518e4db4cd619eb805765e72d5923065fbb46e4c48a6db7e631

a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3

b1f60766fb1c9d311d8200f0d45898156f6ce60e9db644032731e9284bf1c552

b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053

daa21287c64f4ddf57136d013858af29aaa8ad92ee7d7cde68531f0b5979c55d

+ 570 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger

Link:

https://tria.ge/reports/200721-x54l3kqkle/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10eead56b5d7413b12b1fd1a4bf63dba2fa8995dad47d9a29577efd98264247a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 44ed394e2f57716a9184cdf1c497331279c82bd5d3f9c544bb1bbe19f7df86c5

exe 10eead56b5d7413b12b1fd1a4bf63dba2fa8995dad47d9a29577efd98264247a

(this sample)

Dropped by

MD5 9c7a270b24163f6a515e7bda1165618e

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 44ed394e2f57716a9184cdf1c497331279c82bd5d3f9c544bb1bbe19f7df86c5

Cape

Cape

https://www.capesandbox.com/analysis/29809/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample