MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b59de7a97df74d5e59c0f02697e9ae4e9391a01998de6baf4c937bdf2f678f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b59de7a97df74d5e59c0f02697e9ae4e9391a01998de6baf4c937bdf2f678f5
SHA3-384 hash: 2fcd27461b9a377f5bae18d3fbab47889bfca7e571329316ac8b83b7878bb9cb2dd23bd56e4736adfe021c1ff93bfbce
SHA1 hash: fe64df31d6a55dad031e6d4c73173df61d56590c
MD5 hash: 029bc6a7b0e7987195c6b17fa6887b1a
humanhash: avocado-butter-march-emma
File name:PI1009372PDF.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:913'920 bytes
First seen:2020-08-06 08:00:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:sRFyAoft65qv7aCwBILCEMaona6O8jvMNSsvy/ByHm6PbivPHQ5:gmI5qHwBICXaSNrOy/sHmFHY
Threatray 1'100 similar samples on MalwareBazaar
TLSH 4D150272A2C41EDBD13CA4B88C05726492F2C24A22B2EEDAFFE540E915C5BD11F3655F
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: rdns0.fresna.xyz
Sending IP: 164.90.155.99
From: "VU , Hong"<office@fresna.xyz>
Reply-To: <erikw.gohomeltd@gmail.com>
Subject: RE: RE: Request of Status of Quote
Attachment: PI1009372PDF.7z (contains "PI1009372PDF.exe")

MassLogger SMTP exfil server:
webmail.saritatravels.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40362/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412586
Signature
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 258560 Sample: PI1009372PDF.exe Startdate: 06/08/2020 Architecture: WINDOWS Score: 100 30 cdn.onenote.net 2->30 32 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->32 40 Found malware configuration 2->40 42 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 7 other signatures 2->46 8 PI1009372PDF.exe 7 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\cmiWvkSiJBmR.exe, PE32 8->22 dropped 24 C:\Users\...\cmiWvkSiJBmR.exe:Zone.Identifier, ASCII 8->24 dropped 26 C:\Users\user\AppData\Local\...\tmp474C.tmp, XML 8->26 dropped 28 C:\Users\user\...\PI1009372PDF.exe.log, ASCII 8->28 dropped 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->48 50 Injects a PE file into a foreign processes 8->50 12 PI1009372PDF.exe 15 6 8->12         started        16 schtasks.exe 1 8->16         started        18 PI1009372PDF.exe 8->18         started        signatures6 process7 dnsIp8 34 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.83.248, 49725, 80 AMAZON-AESUS United States 12->34 36 nagano-19599.herokussl.com 12->36 38 api.ipify.org 12->38 52 Tries to steal Mail credentials (via file access) 12->52 20 conhost.exe 16->20         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b59de7a97df74d5e59c0f02697e9ae4e9391a01998de6baf4c937bdf2f678f5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 06:05:45 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dnm546ux352nlzm4b4bgs7u24tutsgqbtgg6noxuze3334xwpd2q._file
Verdict:
unknown
Similar samples:
1a128360798520eca9e82a0f2b97de12068788c89686adad3b44d68f9fc671e6
MassLogger
23486053a77b3b37f7323a6bd6941ec13d341fc553bcb0675b475cef4392c894
MassLogger
54c937e5b6fe28e7076e549802765e15ad6191d2ddc427b532ff9347fef2eb39
MassLogger
8ec5d666ff1af04113f22c80294db956bedff4123e59ee925c5583c47b7794ec
MassLogger
99938664e2162f06313d017b275c7da25b45d578177911808a986f416377e15d
MassLogger
9c33a1f6a337e39a99c4480f19e63fbaeee191defcd51c8a908e9af9da8e115c
MassLogger
b1135688496020eb3e075121b22fb9c726c6021068ce415be82d8e48540dc563
MassLogger
c384329760d0131d7421eda97a27136a3cee9271d4645a64e7248ae709150a4e
MassLogger
e9d361854883ec0f97b1e70a46a4f40393848b33dfaf63ef182c665a68b043dd
MassLogger
f8bfe504676559b37494dd204efc4974a7a08f2abafdbee5a8e75bc6df16e5d5
MassLogger
+ 1'090 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200806-rqqz4zyz82/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b59de7a97df74d5e59c0f02697e9ae4e9391a01998de6baf4c937bdf2f678f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 2234b93f14f3643cce17c1562c97120e89e2d87e329809a05c033e6fd5b0322c

MassLogger

Executable exe 1b59de7a97df74d5e59c0f02697e9ae4e9391a01998de6baf4c937bdf2f678f5

(this sample)

  
Dropped by
MD5 22af0714fb72629cc0e1af50d9f0d7e6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40362/
  
Dropped by
SHA256 2234b93f14f3643cce17c1562c97120e89e2d87e329809a05c033e6fd5b0322c

Comments