MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4534997b5b146c7caebb2f398e7ea0f2bbf434af23155ad13b0acd09b0487325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	4534997b5b146c7caebb2f398e7ea0f2bbf434af23155ad13b0acd09b0487325
SHA3-384 hash:	006895fc565286ace09ff9cfba3b768c84bb05ee8478f771c0bea859110a96d5aaf110cd4408ce60d58ea9942972c0b9
SHA1 hash:	d187546e7d852a244f453fe8114e92052399f297
MD5 hash:	ae968565d7d2fe888a443791eef898ac
humanhash:	social-october-jersey-hawaii
File name:	WesBank Ref 00142455 DishonestFraudulentTransaction.pdf.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'204'736 bytes
First seen:	2020-08-03 17:39:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:BRdetz1eIFhOV4i+rvgoxHRKqakTDQ4QyZr:3GVhStkj1gqaknQ4Vr
Threatray	1'451 similar samples on MalwareBazaar
TLSH	5045DF1E76D14999E89E4FFE5D3918829E37F84F9923E38F35A1102D04F7388A815F1A
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: slot0.comkamaindia.biz
Sending IP: 45.95.169.12
From: wventer@wesbank.co.za
Subject: WesBank Ref 00142455: Dishonest/Fraudulent Transaction
Attachment: WesBank Ref 00142455 DishonestFraudulent Transaction.pdf.gz (contains "WesBank Ref 00142455 DishonestFraudulent Transaction.pdf.exe")

MassLogger C2:
http://torlago.com/wp-owe/panel/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38037/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Deleting a recently created file

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/408324

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM_3

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4534997b5b146c7caebb2f398e7ea0f2bbf434af23155ad13b0acd09b0487325/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-03 17:41:05 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iu2js623crwhzlv3f44y47va6k57infpemkvvuj3blgqtmciomsq._file

Verdict:

malicious

MassLogger

2da5a5b8cdbb40f408d11f1d9dddc7d92e3eb42e88b7d7641cef839b90561aed

MassLogger

51f3a9f7ba793e867b3738a3f2707d11d3d839a099a70d6bb02c6b6aa68de4c8

MassLogger

5e57e98ff9180e08404e1ddaf29e274ab4df1149b2cbfbdf3422ae460afbafac

MassLogger

6f2ed9ee33724651d7fb52edc4dbb3bfde3c19ca12cf5e990952d392305d1c20

MassLogger

95d334eb3cabab89dede94fa1fdfb66560e7ca453ac25be1729a5c0d2e783934

MassLogger

b081c3ca5ac83f979746ca3b82455090c157446e85d57fa9a624782dc122a657

MassLogger

c523252072f5911950614d6a91d16036b0128c10458f05a4ab0b7a3221780c1a

MassLogger

d5132d40838a12d557fdcea3492cbe6775330dc7298bb806b076011816fe1f36

MassLogger

d83429370b6d814b6ff67dd1736424db4e11e39ee745867f09c98f49fae4e1fc

MassLogger

+ 1'441 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200803-eyam7kee2a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4534997b5b146c7caebb2f398e7ea0f2bbf434af23155ad13b0acd09b0487325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.