MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b
SHA3-384 hash:	b432dfd3edba180bd738f9a2de72e19a326a6b68ee0c6179b5f039f9c9e71ea231bc12257a72859c496ed5ca829f4bda
SHA1 hash:	e8d4fcd65e005561ce5c699376ad7667d0c0a1b9
MD5 hash:	42a20dafbe6049da3465b4f0b982c414
humanhash:	batman-pip-sad-uranus
File name:	New_PO_2020805.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'102'848 bytes
First seen:	2020-08-05 12:08:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:XavYYUCBWBPGptLM9Y5uIKIxAU6FlsgYq5sSR4VVktDPgOuM:kU0WNGptL6KxASju4YP5
Threatray	736 similar samples on MalwareBazaar
TLSH	0B35D0C8614878D9F1572E751C369EB2082FFEEB1220850A3A1737378973E5A356BD4E
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: hal-lndia.co.in
Sending IP: 5.188.93.228
From: sales@hal-lndia.co.in
Subject: Order
Attachment: New_PO_2020805.r00 (contains "New_PO_2020805.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39545/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34296696.14917.3871.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/411168

Signature

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-05 11:16:31 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nuvfm3g23n6rhf52jtewz4fngyjvrjyxki7vi7bqv6gjfoeloevq._file

Verdict:

unknown

Similar samples:

044c48fe42178958d8f55e5404e056ff0f1071d865deda9cc42518ab2c87fda7

0fd0591e79669d6016acff95109efd434cc39498d83f4ebdaac67c96091e4fa9

21cea3a243809c8cc06412ffd647e4896b35a246cf8c365484e0419477d94b37

271ae8f2104165d934488b9888b1fdcf6d6ec9a2263a603270ac9098f5d27323

3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a

6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6

b99de03440f57a55e0c9a269df9d79ff2214eb859361d217f76fa86579fd82df

bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f

dc05645067f3f3ccf6a4e647dcf935c928fd981ef904672603a7ab409488166e

f1ce8a3c72d7e45300b38de923c0ad45c466ef17a44bec4aad85a4672690eb22

+ 726 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200805-jkzjdf6mhn/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 4ab8c891c52a98f6583d66fc0e0021d29d3a21bbdaa7177a03aecb4eef4073e7

exe 6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b

(this sample)

Dropped by

MD5 0d1aead14560f1db8e4b1e3054f3ab2d

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/39545/

Dropped by

SHA256 4ab8c891c52a98f6583d66fc0e0021d29d3a21bbdaa7177a03aecb4eef4073e7

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample