MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43c22ad8da4c7b3702e70d5c97e7ceed85a50dbd7926fccc5eda0bd775fcec51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43c22ad8da4c7b3702e70d5c97e7ceed85a50dbd7926fccc5eda0bd775fcec51
SHA3-384 hash: c860d59d632abc1a5c6bec076179035b95479f917a96285e07c9e2f56f2bb509ea2ac90bfad0b63b7099faaa81878eb5
SHA1 hash: 0cb670cbaf18ddcc3b53810d133c312ac734e51f
MD5 hash: 7d79b1f7dbf678558734e2e3941edab3
humanhash: oven-uniform-zulu-juliet
File name:Shipment Docs_Eval-MV-#00019839991900.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:2'005'504 bytes
First seen:2020-06-17 18:19:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 49152:6Vg5tQ7aN5xsrL2CwS8IEKAjhAZlTqKVDqd0P5:kg565LA1kAlAbqKN
Threatray 1'353 similar samples on MalwareBazaar
TLSH 8695F11333EEC365C3726273BA25B701AEBFB82506A1F55B2FD4097DB920121525EA73
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: curbvmf.curbell.com
Sending IP: 66.153.41.190
From: Gowsalya.P <docs@tidelcargo.com>
Subject: Fwd: SHIPMENT DOCUMENTS / RECEIVING CAN & ORIGINAL DOCS & CORRECTIONS IN HBL SPLIT
Attachment: Shipment Docs_Eval-MV-00019839991900.r09 (contains "Shipment Docs_Eval-MV-#00019839991900.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipbcvwg2jr5toaxhbvojpz6o5wc2kdn5petpztc63if5o5p45riq._file
Verdict:
malicious
Similar samples:
07b55ae89038136fc1da21d2aaea7b9e6d17ea18843d26f9bbcad7124eb5f1be
MassLogger
0a44ee4a63f01378570de7668ee2daa17534d296a6ff2c45bc14d8f9b07bb837
MassLogger
0af91caf5bfd256133203be73629b6fc15dda3a6d11b007549babf7118763cfe
MassLogger
14fd527270413bbe03889b5082000818055ae981fd2ea0df41f24ff34c7c4621
MassLogger
68dfd4d506b49f1ac0345d9507835df35a25aca5df2fb52396e66af443f9feca
MassLogger
786b5266ae016683f13abe07cb1e99c01b2d617d3ca7518da086571d9f158d1b
MassLogger
9a2ffcf3f6be8f2fb3ea792c854fbe72e907c99391ded77733a1401d4d168e9e
MassLogger
d9d166ad30417f3158f7228c54985f97fe502523f910f14fbc5f7fb729c85e56
MassLogger
dfdf0f99d16bd7eb45ba5c6250fd49e81c99d41cd443bab3723ad9cdfb8b3a0f
MassLogger
f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649
MassLogger
+ 1'343 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200624-9h1ztzxz9x/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Deletes itself
Drops startup file
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r09 ca969f43ffa5b68005eb6a4fcc63d6dae4a37152c16018d32f5599d4f8fb16ac

MassLogger

Executable exe 43c22ad8da4c7b3702e70d5c97e7ceed85a50dbd7926fccc5eda0bd775fcec51

(this sample)

  
Dropped by
MD5 2e04965a8b2d95edf7659724925bead1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ca969f43ffa5b68005eb6a4fcc63d6dae4a37152c16018d32f5599d4f8fb16ac
Cape
Cape
https://www.capesandbox.com/analysis/19553/

Comments