MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6
SHA3-384 hash: 29d5b22cacccf83af708009744b427b267f9c5cc947c10dd72a7af44cdd471fdca2dae85d125fba2166cd6c5cb50e4d3
SHA1 hash: 303bb329745f99bf3c88535914f8b0ac768ac107
MD5 hash: 787505a211af41260aa84e8473ca533e
humanhash: fix-high-fanta-monkey
File name:INQ4556 PO.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:975'872 bytes
First seen:2020-08-19 14:45:55 UTC
Last seen:2020-08-19 15:47:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:oxeLFA/Fa4GxZNt+VXTms6qddw0o4sKiOY:MeLFA/nqoVXTP6qA0NsKiO
Threatray 564 similar samples on MalwareBazaar
TLSH 64250196F016226CF86DB5FFD0910DA35AF28CA74605661601F43FBA3D39153CF98A2E
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: s111-ir-cpanel-trade.maindns.net
Sending IP: 185.165.116.18
From: hadi <hadimohamedhu@gmail.com>
Subject: Re:INQ4556 PO
Attachment: INQ4556 PO.rar (contains "INQ4556 PO.exe")

MassLogger SMTP exfil server:
smtp.gmail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48662/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.11580.24814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/438595
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271777 Sample: INQ4556 PO.exe Startdate: 20/08/2020 Architecture: WINDOWS Score: 92 54 Found malware configuration 2->54 56 Yara detected MassLogger RAT 2->56 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->58 60 5 other signatures 2->60 9 INQ4556 PO.exe 3 2->9         started        process3 file4 36 C:\Users\user\AppData\...\INQ4556 PO.exe.log, ASCII 9->36 dropped 68 Injects a PE file into a foreign processes 9->68 13 INQ4556 PO.exe 15 7 9->13         started        signatures5 process6 dnsIp7 46 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.126.66, 49741, 80 AMAZON-AESUS United States 13->46 48 nagano-19599.herokussl.com 13->48 50 api.ipify.org 13->50 38 C:\Users\user\VideoLAN\vlc.exe, PE32 13->38 dropped 17 cmd.exe 1 13->17         started        19 cmd.exe 1 13->19         started        file8 process9 process10 21 vlc.exe 3 17->21         started        24 conhost.exe 17->24         started        26 timeout.exe 1 17->26         started        28 conhost.exe 19->28         started        30 schtasks.exe 19->30         started        signatures11 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->62 64 Machine Learning detection for dropped file 21->64 66 Injects a PE file into a foreign processes 21->66 32 vlc.exe 14 6 21->32         started        process12 dnsIp13 40 smtp.gmail.com 66.102.1.108, 49748, 587 GOOGLEUS United States 32->40 42 54.197.225.198, 49746, 80 AMAZON-AESUS United States 32->42 44 4 other IPs or domains 32->44 52 Tries to steal Mail credentials (via file access) 32->52 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 07:28:17 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjn4qzpscun5bc5rier6x5ups7v2s5jjum66ci7e4tf232njkhta._file
Verdict:
unknown
Similar samples:
3333a191bc36b4a7a76e51c0b7b83c5d2b7d253f074789c2302ec598c30711b3
MassLogger
56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497
MassLogger
66332e53989ee89d3c963cecd82424b45e332cadb2d9e13ba13f9f49d22b25ee
MassLogger
687bbb360426bced3a9f69df3a4ae321c30c2e6e8cc40bde6b6b7519a6aaab34
MassLogger
779250862192983603f41542782abb140ff3a0be669c5fb3bf80ea6932b4fc50
MassLogger
88ca3229bbbcdfa0efd9ba8533253fc7cb11206b266d0bcdde54e2c10ac87e35
MassLogger
923400c38b42c55fd484b8dfec8058a5952de23cbe053dea7bf041aa727c1b25
MassLogger
992224c3cf97b0d58a9a0c5af443de835abecf518c8c9da0c7724f8929922f8f
MassLogger
d3027dd8d1fd1dc823baace52ec28189ed1486065438d86c640199f4d98d3f79
MassLogger
d589bde71aff96cea185e9175ca0797d0799a0f0d64de123be6e2c1bc9c73b68
MassLogger
+ 554 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200819-47g1d1jjf2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 370da6a864cc0f7c3387cee818401ef3892bd81b153a9fe39cc6affc55d248e8

MassLogger

Executable exe 925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

(this sample)

  
Dropped by
MD5 759e64330ef03e904c62c30dcc5ae26e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48662/
  
Dropped by
SHA256 370da6a864cc0f7c3387cee818401ef3892bd81b153a9fe39cc6affc55d248e8

Comments