MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6efdd15723e5249946db600bca1fb2589778326dd1a4a217fbda9343290c5480. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6efdd15723e5249946db600bca1fb2589778326dd1a4a217fbda9343290c5480
SHA3-384 hash: 680e7bbebf0b8704512c44caa6db742ffcf90e97986e8676a07dbdcd43cd39699c64e7b40d5ccd50de4becbdfde419ee
SHA1 hash: 3e39afde8de4ee09a2157f9636682a7e3babe262
MD5 hash: d9cd198b9a6a7cc74eee772a185f5e7d
humanhash: jupiter-sixteen-kentucky-ack
File name:Guia de pagamento 000210031 22.07.2020.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:733'696 bytes
First seen:2020-07-22 08:56:33 UTC
Last seen:2020-07-22 11:27:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tNHr2tDVPUm2iNSioGJQmxFHmHfPOGlpkAxKHMnGNVjQF1MXBffriuLuIAn:tCVcm1YIpCfPxlp7KVcFAriAuZ
Threatray 1'251 similar samples on MalwareBazaar
TLSH B5F40110F7F80BDAEB5947B6E0264554A7B9681E63E6D70D2B92F4DC0832B409B13F27
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: ripper1.x-logix.pt
Sending IP: 176.61.147.243
From: Antonia Portas <antoniaportas@hotmail.com>
Subject: Guia de pagamento 22.07.2020
Attachment: Guia de pagamento 000210031 22.07.2020.7z (contains "Guia de pagamento 000210031 22.07.2020.exe")

MassLogger FTP exfil server:
ftp.antares-group.ro:21

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading Telegram data
Reading critical registry keys
Moving a recently created file
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6efdd15723e5249946db600bca1fb2589778326dd1a4a217fbda9343290c5480/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 08:58:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n365cvzd4usjsrw3maf4uh5slclxqmtn2gskef733kjugkimksaa._file
Verdict:
unknown
Similar samples:
2a2a628e23fa234e422aa5edcb6718f54e5caa2822ee10950a30619d9e9b0534
MassLogger
2ed8cd44621cc06fa9a00f11b5217fe58839a8ec6bfee8d42f78f61263652da5
MassLogger
476d02f7c777bb08d97cf87c305e3cb4f41501c1b15ddd88e55f31bff0767b0a
MassLogger
49aaf4ae6bf7f60a07c4ffc43ca0be27fce694446436dd07aac5db362142c2c8
MassLogger
75fc0beb16fbe8af2f46d2cfcb7176af4289430516d74017d1a32cd0c37859c0
MassLogger
9256cc7129421443ba770b55f01042e58fa5af856df1db31e830f147213c2a1c
MassLogger
afd354c93f9c9ad2324dd4ecd1e58041f373f1b3360ef8ce2792e437bd104a8d
MassLogger
d5dd3977cdc2602a68093c08e166b1508253ef0934f986d00be980e47b7c50f9
MassLogger
dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b
MassLogger
f8a0ada1c983c16a3ff6b107c2a04cac970e51ba9bec2514771271af03b7b9fc
MassLogger
+ 1'241 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger
Link:
https://tria.ge/reports/200722-mc1lq4jt52/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6efdd15723e5249946db600bca1fb2589778326dd1a4a217fbda9343290c5480

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

7z fbb163a284cd1c702f14695d8a83da91ad1ddccf8553a262c2a5f1419a3bfaa8

MassLogger

Executable exe 6efdd15723e5249946db600bca1fb2589778326dd1a4a217fbda9343290c5480

(this sample)

  
Dropped by
MD5 1dfaa7346c56fc62f15c6cef0a185bec
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30977/
  
Dropped by
SHA256 fbb163a284cd1c702f14695d8a83da91ad1ddccf8553a262c2a5f1419a3bfaa8

Comments