MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6477024ed851023f3d69427ca14e9744d5cc6401daae7566dbbe6732788e721e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	6477024ed851023f3d69427ca14e9744d5cc6401daae7566dbbe6732788e721e
SHA3-384 hash:	ecb98c11c6c153092e5932111a2683019986aa17c5f236a5d4b444fca4309056ea9ad218a5a0a27a9576acd9501270fb
SHA1 hash:	e7cad27d0131453c11e0c62df1ac7b8fd38c843c
MD5 hash:	2d21f8b96c3c7af2272bcb35e41d80c1
humanhash:	venus-green-bulldog-oxygen
File name:	PO.NO. 20035352.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	918'528 bytes
First seen:	2020-08-05 09:21:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:aTMkJB+eBspcDxP4jtF3EJWRxkVjG16rlABbZdsd081aPm3ppElRKf:IMk+rclM3jMhlAdEdZ56l
Threatray	414 similar samples on MalwareBazaar
TLSH	2815121E37A46599F9B95E3F5C3114838D26FC1FEA22D18B1AB025AD847D68CFC20F61
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: bynunagate.com
Sending IP: 45.90.222.220
From: michael.philip <ales@bynunagate.com>
Reply-To: michael.philip <gk@aquaflor.ae>
Subject: PO.NO. 20035352
Attachment: PO.NO. 20035352.rar (contains "PO.NO. 20035352.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

72

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39330/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/410806

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6477024ed851023f3d69427ca14e9744d5cc6401daae7566dbbe6732788e721e/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-05 07:42:40 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mr3qetwykebd6pljij6kctuxitk4yzab3kxhkzw3xztte6eooipa._file

Verdict:

malicious

Similar samples:

08ee9ac3d7281eb7feb916d7e49d8b178ea88f69a2eb17b317f1e32842e89382

3142e234938b7d0d3bccb3faada5555b00f9e5d8fe9fc7dba7efe07ae03e4d99

60464dbfb4a5cb7227d3afe20367adb84757365e1b9a466ef95c0c96c28b31cf

6d430704bd3c6594f4732ec7e0f4bc0b899e93ac4d82d7f32da912dc6bdb9c35

6ee9c2dbb4e02add4966f1a720be2c6dd22cb0088fff92aa0e9a6b4d91e85b67

82c58393e0d855e14a9a3dadf046d823134e3d65c098146c9689df121739334b

8f5a34f80165dd3b125af00e0f799000581693356c589931ac12a3eca44dba2d

d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23

ebc70b3a49276d78bea1209073f9855253b5110034c8159c704dde0ebd248008

ed23e691927f32d5c2d18f5b763fcc71fa62c6150233b1dbcf967d13521ef8f6

+ 404 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200805-j35eek19fs/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6477024ed851023f3d69427ca14e9744d5cc6401daae7566dbbe6732788e721e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 58073c851cd3a7367637999f892188729f91156df331559c3decea6a4f64f539

exe 6477024ed851023f3d69427ca14e9744d5cc6401daae7566dbbe6732788e721e

(this sample)

Dropped by

MD5 931e41c23319f90269f55f25a40a90dd

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/39330/

Dropped by

SHA256 58073c851cd3a7367637999f892188729f91156df331559c3decea6a4f64f539

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample