MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55be6c73b00189e473ef23d8693ab34f8eeec82c46ed27ee5b3e88944334aaf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55be6c73b00189e473ef23d8693ab34f8eeec82c46ed27ee5b3e88944334aaf9
SHA3-384 hash: 1e136ce79e5384f8e05cee597f62b23eaa6023591a2925f4ebd6a6231fe8de708875aa83470521bf637b664549c51b0a
SHA1 hash: 3781083a9f5b9f97643b0ed99f39a5aaa3422c6d
MD5 hash: efaf4fa0e82360f6b9b40fbd99b606b5
humanhash: cola-six-undress-high
File name:PI10042855PDF.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'007'104 bytes
First seen:2020-07-29 11:51:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:6aPhDtALOEDm2JeTIoW4YkS02q5Xvay2jyV:9pDtHk/JSQD1Y
Threatray 685 similar samples on MalwareBazaar
TLSH B225F159F692ED1AC3BD4934E2EC1A1CCEFC85C2A227D759788296FF16C73A2D4011B1
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: qq.com
Sending IP: 59.36.132.42
From: maggie yu <stone_mao@morsun.com>
Subject: PO- Strong Precision I200623 REQUEST FOR QUOTATION
Attachment: I200623 REQUEST FOR QUOTATION.IMG (contains "PI10042855PDF.exe")

MassLogger SMTP exfil server:
webmail.saritatravels.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34851/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Creating a window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/402475
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55be6c73b00189e473ef23d8693ab34f8eeec82c46ed27ee5b3e88944334aaf9/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 11:53:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kw7gy45qage6i47pepmgsovtj6ho5sbmi3wsp3s3h2ejiqzuvl4q._file
Verdict:
unknown
Similar samples:
1382fdb29bab4fdfecdead8eb5d85d022a16d4f0286513b226745d890a3f47f4
MassLogger
3620092a3fe074a1adcf351ee1e91081b7227589993b148cd2acc18df351e9ea
MassLogger
606d39731ffeb838a7e31286cf75dba0c3ac101984e9c95cbeafd284d5e25671
MassLogger
70b1ba0ece1eaa61f8946de73d8528caff86b5255ba2fe05e15f5b507db5c8fc
MassLogger
7f0fb6cbeb67d61d2fcf55c3e9496eee625be53db7e4e0a6321403efd9f8f7c8
MassLogger
7f80a6416535bb755c265b940e2c3d6c7b5adda148883e3376a6b2672809a480
MassLogger
a654772e801683ef8639985af05c8845d16ab48df5c6a8e65d014251692d73d2
MassLogger
c8bc2bde7ab29368fc3ac5e32367bf63156514940465721908846bcc353eec27
MassLogger
e509b23e338968bd1f1242df28436bf1c954d91b2410654d55d3812078eda6f8
MassLogger
f8b4f7113aa0d1a2c45da336f44aa6f3aac6ccceb9e1251842fdc086b1f33eef
MassLogger
+ 675 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200729-pwldfpnhzx/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55be6c73b00189e473ef23d8693ab34f8eeec82c46ed27ee5b3e88944334aaf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

img 09e185c1a8eb5cdd3d506c5bc58a2f479f05c2e480b00b4191a31ebe28894ea2

MassLogger

Executable exe 55be6c73b00189e473ef23d8693ab34f8eeec82c46ed27ee5b3e88944334aaf9

(this sample)

  
Dropped by
MD5 471ff804c6170d51592796c58675bb73
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34851/
  
Dropped by
SHA256 09e185c1a8eb5cdd3d506c5bc58a2f479f05c2e480b00b4191a31ebe28894ea2

Comments