MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fc0677051b6ed2a651080ba5eeb17e10d78e82f68f86c5d27a3394107b0f74e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fc0677051b6ed2a651080ba5eeb17e10d78e82f68f86c5d27a3394107b0f74e
SHA3-384 hash: 199520a17a133418b2a59169bd197260e1ac15350a313d25aa079f05fd235aa018080e77e9fd378596bbb48a6123d594
SHA1 hash: 103e7ab4abcc5290236b1a2c7226f74545d1815a
MD5 hash: e851c9194355f1520598be2abf8bdd9b
humanhash: six-aspen-beer-west
File name:SWIFT_001300221547_0039948822.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'298'944 bytes
First seen:2020-08-04 13:20:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:UIYxPeVZl6Tvrusr3WjTRndPylZDeVZugBKN1pmDuyh4hkC2JhTv0PV:UIPVj+juGoPPyHSsiKN1pmDqhdqTMV
Threatray 695 similar samples on MalwareBazaar
TLSH 0455D0C1F1409D50E82A4A3B893349914B33AC6BEF43C607349CB6596BF72966E75F83
Reporter abuse_ch
Tags:Endurance exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: qproxy5-pub.mail.unifiedlayer.com
Sending IP: 69.89.21.30
From: Accounts <Accounts@hsbc.de>
Reply-To: Accounts@hsbc.de
Subject: RE: Pending Payment for June and July Invoices_Compar Invoice Paid
Attachment: SWIFT_001300221547_0039948822.rar (contains "SWIFT_001300221547_0039948822.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38697/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/409445
Signature
Deletes itself after installation
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fc0677051b6ed2a651080ba5eeb17e10d78e82f68f86c5d27a3394107b0f74e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 13:22:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7ago4crw3wsuziqqc5f52yx4egxr2bpnd4gyxjhum4ucb5q65ha._file
Verdict:
unknown
Similar samples:
044c48fe42178958d8f55e5404e056ff0f1071d865deda9cc42518ab2c87fda7
MassLogger
065011f5098f869c79ff098a104765fa08050cfef16bac98b0944108de1ebee4
MassLogger
21cea3a243809c8cc06412ffd647e4896b35a246cf8c365484e0419477d94b37
MassLogger
49406d04e4b7268279ea17e07bdb6e89c1d09b599b5afc2f9e95983db09125ef
MassLogger
9810f656629ec1a2c0957a8d650b6caf1f9431e91c8a9516744636fbd39d54a8
MassLogger
a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4
MassLogger
bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f
MassLogger
dc05645067f3f3ccf6a4e647dcf935c928fd981ef904672603a7ab409488166e
MassLogger
fa473a9f7280e22e757799c9d18a21bded2f5500a47063e926105db33e77b4f8
MassLogger
fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437
MassLogger
+ 685 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200804-9akrc329pj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fc0677051b6ed2a651080ba5eeb17e10d78e82f68f86c5d27a3394107b0f74e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar a9ae068f33462639db6abfd06a02d63bd712b11a6b3d52ebde25e4d402293b84

MassLogger

Executable exe 3fc0677051b6ed2a651080ba5eeb17e10d78e82f68f86c5d27a3394107b0f74e

(this sample)

  
Dropped by
MD5 99598209f8d89b52046e996b1403dcf9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a9ae068f33462639db6abfd06a02d63bd712b11a6b3d52ebde25e4d402293b84
Cape
Cape
https://www.capesandbox.com/analysis/38697/

Comments