MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9
SHA3-384 hash: eb5a10d1f38292825704a14fbc1a033dda7c956b5b03f72c5aa03dc5ef1eb52364d7531be52060e67d2150b76fc47979
SHA1 hash: 22cd26b8610a8eefad82a690491052bf8f2b128a
MD5 hash: 2a3545f4dfeba61a015cca0f4598b010
humanhash: fanta-magazine-whiskey-delta
File name:SORUSTURMA 30.07.20.XLS.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'169'920 bytes
First seen:2020-07-31 12:17:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e94294aa486edca6180033051104c39 (5 x AgentTesla, 3 x MassLogger, 2 x NanoCore)
ssdeep 24576:5NZopgQgY2O9IcERDvQ3akjzS/sQojsCs7nRWZsePiUzbrFFthqyO0bGDOwXK:5NvcVAjqPnqZ2EXK
Threatray 2'908 similar samples on MalwareBazaar
TLSH 5C45E0E2B2D05433C26F15F98C0B9368AF36BE111A2919862FF50C4F9FF978139E5196
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: ipekyol.com.tr
Sending IP: 156.96.58.85
From: Ecem Sena Cömert <ecem.comert@ipekyol.com.tr>
Subject: R: SORUŞTURMA 30/07/20
Attachment: SORUSTURMA 30.07.20.XLS.r00 (contains "SORUSTURMA 30.07.20.XLS.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36503/
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/406056
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 12:19:08 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmhbpzliqyhuipjizvbq6jusl65xxqy64vpcq7ornpuqe5hngpeq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
24154b374505bf76998acbeb5dafbf42a61a516234f2f1b708784ec3669bfbd1
MassLogger
311380e373e370131734bd5c65fe3b8a8b2862fc7049692e92ac12703487edc7
MassLogger
3d604878a1a81c85be92fc830d195e4503cf17c9e8cd3e6778e2f4c3cf14c83c
MassLogger
7f0bd5d4fdb77f5c7944ba26cf6028a8f7f3f92e674611385f6cdd1e5258708d
MassLogger
921535a6ad60e212e6628f7ae40b356db57c7be4a70c4616d032226fca211523
MassLogger
93e44f3a49647573e0de42b29d80a9ce0af5cb879417e6a3f6a238d88979c662
MassLogger
99876ee50802848768d32d6cd179141603d76259e33c223b47204e33ef4b416d
MassLogger
9f0c636096918ffd81f45e54f65d8992726cbfbef9a8d087476ab5360590d35d
MassLogger
bee273e8651fb168e330da50d83a3e4ad3769692d365d20f0cd9e1afbe13bcb0
MassLogger
e3d23bafecccf8c1282d7c7f561490061216edabbbdafde8dca65608ba28a8fc
MassLogger
+ 2'898 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware upx stealer spyware family:masslogger
Link:
https://tria.ge/reports/200731-wzb8tezxjj/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
UPX packed file
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 568a3d56fd1b9f092dada16534f87312e93fe09afcc6af8a2b8e9be7d217572b

MassLogger

Executable exe 1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9

(this sample)

  
Dropped by
MD5 7423785a2b607b413ff0e2745c97a20d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/36503/
  
Dropped by
SHA256 568a3d56fd1b9f092dada16534f87312e93fe09afcc6af8a2b8e9be7d217572b

Comments