MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9810f656629ec1a2c0957a8d650b6caf1f9431e91c8a9516744636fbd39d54a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	9810f656629ec1a2c0957a8d650b6caf1f9431e91c8a9516744636fbd39d54a8
SHA3-384 hash:	cdc85c268193e76df94aa982b27f356607bffef36240043479fe6ff9fd76bb64347688fd289be6a43a5f483e12af0497
SHA1 hash:	81bd2b52b545f31b4a29c7749cd42db62ac672e4
MD5 hash:	b8802e4af1f4b8366521b4da418463a1
humanhash:	quiet-avocado-fish-fourteen
File name:	PO_2020130837727_288377233.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	997'888 bytes
First seen:	2020-08-14 06:12:19 UTC
Last seen:	2020-08-14 06:50:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:J+shB7UkIF7Ge0vB/sKDo0prV6Nn48RDRNgPeRNqy/:J+shGkIFyZvB/spOV6NtRVkIqy
Threatray	525 similar samples on MalwareBazaar
TLSH	0C25026A22F0EA19C07BF37851A40216B7F77D0B10A5D30A9DD928D80D35BD24667EFB
Reporter	abuse_ch
Tags:	Endurance exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: qproxy3-pub.mail.unifiedlayer.com
Sending IP: 67.222.38.20
From: mportaciones AGROVIER SRL <importaciones@agrovier.com.bo>
Reply-To: importaciones@agrovier.com.bo
Subject: PO 114913 REQ 110243
Attachment: RFQ __SUPPLY ORDER.rar (contains "PO_2020130837727_288377233.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45529/

Detection(s):

SecuriteInfo.com.Trojan.Inject3.50344.31460.20301.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/428636

Signature

Initial sample is a PE file and has a suspicious name

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9810f656629ec1a2c0957a8d650b6caf1f9431e91c8a9516744636fbd39d54a8/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-14 06:14:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=taipmvtct3a2fqevpkgwkc3mv4pzimpjdsfjkftuiy3pxu45ksua._file

Verdict:

suspicious

Similar samples:

044c48fe42178958d8f55e5404e056ff0f1071d865deda9cc42518ab2c87fda7

065011f5098f869c79ff098a104765fa08050cfef16bac98b0944108de1ebee4

21cea3a243809c8cc06412ffd647e4896b35a246cf8c365484e0419477d94b37

3fc0677051b6ed2a651080ba5eeb17e10d78e82f68f86c5d27a3394107b0f74e

49406d04e4b7268279ea17e07bdb6e89c1d09b599b5afc2f9e95983db09125ef

a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f

dc05645067f3f3ccf6a4e647dcf935c928fd981ef904672603a7ab409488166e

f959039896cdd9c4add867b06af7d100629377c66ef7fb0fd4aeba48f9a9593e

fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437

+ 515 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200814-g9c2q4sjha/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9810f656629ec1a2c0957a8d650b6caf1f9431e91c8a9516744636fbd39d54a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar df805bf0adbd20c24cf85af5822222cc00e4f8776a6630598add541a1ebfb1c5

exe 9810f656629ec1a2c0957a8d650b6caf1f9431e91c8a9516744636fbd39d54a8

(this sample)

Dropped by

MD5 b4acc476e1cc67d98d5852aa52b2bc15

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/45529/

Dropped by

SHA256 df805bf0adbd20c24cf85af5822222cc00e4f8776a6630598add541a1ebfb1c5

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample