MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6077a9d47232d6bb6425891c5c71096e21e4f961fa4b882004c4574a23321ab9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: 6077a9d47232d6bb6425891c5c71096e21e4f961fa4b882004c4574a23321ab9
SHA3-384 hash: 64e2d0f600317f401f73109352af72fcfc6b47d80cd9f3c93a1d195ebdf40f471782c9fc87b9e1d08e0a26c7c614890a
SHA1 hash: c97788c492ebd0f959f069ab5b6d341fb2fbcaa1
MD5 hash: bbb0b33663055f506d0dc4fa382b6ef6
humanhash: five-north-fillet-kansas
File name:gunzipped
Download: download sample
Signature MassLogger
File size:958'976 bytes
First seen:2020-07-31 12:12:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 24576:/b/8wVmAugJ1h18JJOf3Szz8OAclIKKZFuNUcpLfoz:/b/xVDugUJEizzvlIKKDm3foz
TLSH DC15E048F1C5962AF8473BFBCEBAC8638967FD2E0176421F216E326745F730914A1E25
Reporter @abuse_ch
Tags:MassLogger


Twitter
@abuse_ch
Malspam distributing MassLogger:

HELO: server.accountpdd.life
Sending IP: 89.41.26.168
From: Cheong Siew<test@msaratco.com>
Subject: New Order / PO38562110
Attachment: PO38562110.gz (contains "gunzipped")

MassLogger C2:
http://visionmoneymantra.com/os/panel/

Intelligence


File Origin
# of uploads :
1
# of downloads :
34
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Result
Threat name:
MassLogger RAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 12:14:08 UTC
AV detection:
26 of 30 (86.67%)
Threat level
  5/5
Result
Malware family:
masslogger
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Threat name:
Suspicious File
Score:
0.45

Yara Signatures


Rule name:masslogger_gcch
Author:govcert_ch
Rule name:win_masslogger_w0
Author:govcert_ch

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 6077a9d47232d6bb6425891c5c71096e21e4f961fa4b882004c4574a23321ab9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments