MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251
SHA3-384 hash:	bb971e7932fe82ea7c1471912a8d6ff62464b25ef2134d349572a8cb8e812425bcc66aa3d6295627b96cfc2cb914d276
SHA1 hash:	c2a70eb23ef2e029f400f680a6676a2a638c8e27
MD5 hash:	6776c53886645d953e106936ec046da1
humanhash:	april-oranges-moon-mobile
File name:	Bank Account.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'308'672 bytes
First seen:	2020-08-19 14:32:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:Uo1+ZHrj0BfJQvUu3Y3yFTSdV3IruPjJ:CqvW3YiFO/4
Threatray	532 similar samples on MalwareBazaar
TLSH	AD55D0806148B9DEC1571F705C27ADB0067BFFF91321D6093D0733AB8A73E56266B89A
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: sg1.productsgood.com
Sending IP: 45.125.192.99
From: Account <support@haisokbr.go.th>
Subject: Re: Bank Details
Attachment: Bank Account.rar (contains "Bank Account.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

80

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/48640/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Running batch commands

Launching a process

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/438515

Signature

Binary contains a suspicious time stamp

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-19 10:51:50 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jfre6xdxd2q7oiwugt7j3w2zqvjj6z7lwa4y5vkpkvs3uxshajiq._file

Verdict:

unknown

Similar samples:

02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3

1c989f633edcaea6e97a4a96f8a1f9ed19d54ed109cfaf1053a67dc48d28fd52

20ec6cdb323f2e2eea0bfb107e820a079a41a3fc6afdf8378de930d7aa7b4160

2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043

262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541

97a3f574869dfb82834d7481df5e280ab0944dda13ff548d5674e960493cfb8c

9dfba413d306830589105d96b90b5ea870b1975bd371350635ea1c2b591bcbd8

a990373e6225384bd1bab3441dc0cb881f1e03f51f83f7923ca6c9ff228bee5c

a9f8d8a5503dca2d63d36e17041e6d065a6bf7bad41c000dd6d5a1e73d18d786

f959039896cdd9c4add867b06af7d100629377c66ef7fb0fd4aeba48f9a9593e

+ 522 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200819-xbar5w2cqx/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 83d00e235085eda89e4358f3700260657391df716ad8f77c0bcf37f5a7b81d96

exe 49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251

(this sample)

Dropped by

MD5 fa4e6fad6886ffa5059b6314c5ee4d85

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/48640/

Dropped by

SHA256 83d00e235085eda89e4358f3700260657391df716ad8f77c0bcf37f5a7b81d96

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample