MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: 1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9
SHA3-384 hash: eb5a10d1f38292825704a14fbc1a033dda7c956b5b03f72c5aa03dc5ef1eb52364d7531be52060e67d2150b76fc47979
SHA1 hash: 22cd26b8610a8eefad82a690491052bf8f2b128a
MD5 hash: 2a3545f4dfeba61a015cca0f4598b010
humanhash: fanta-magazine-whiskey-delta
File name:SORUSTURMA 30.07.20.XLS.exe
Download: download sample
Signature MassLogger
File size:1'169'920 bytes
First seen:2020-07-31 12:17:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e94294aa486edca6180033051104c39
ssdeep 24576:5NZopgQgY2O9IcERDvQ3akjzS/sQojsCs7nRWZsePiUzbrFFthqyO0bGDOwXK:5NvcVAjqPnqZ2EXK
TLSH 5C45E0E2B2D05433C26F15F98C0B9368AF36BE111A2919862FF50C4F9FF978139E5196
Reporter @abuse_ch
Tags:exe MassLogger


Twitter
@abuse_ch
Malspam distributing MassLogger:

HELO: ipekyol.com.tr
Sending IP: 156.96.58.85
From: Ecem Sena Cömert <ecem.comert@ipekyol.com.tr>
Subject: R: SORUŞTURMA 30/07/20
Attachment: SORUSTURMA 30.07.20.XLS.r00 (contains "SORUSTURMA 30.07.20.XLS.exe")

Intelligence


File Origin
# of uploads :
1
# of downloads :
37
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
MassLogger RAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Threat name:
Win32.Hacktool.CeeInject
Status:
Malicious
First seen:
2020-07-31 12:19:08 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  1/5
Result
Malware family:
masslogger
Score:
  10/10
Tags:
ransomware upx stealer spyware family:masslogger
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
UPX packed file
MassLogger
MassLogger log file
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:masslogger_gcch
Author:govcert_ch
Rule name:win_masslogger_w0
Author:govcert_ch

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 1b0e17e568860f443d28cd430f26925fbb7bc31ee55e287dd16be90274ed33c9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments