MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f9c8fddfe9fb02c88d8cdaea6efe3a1f88e56af6bb71161e30a1196a8cd8438. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f9c8fddfe9fb02c88d8cdaea6efe3a1f88e56af6bb71161e30a1196a8cd8438
SHA3-384 hash: c85a3f07efb7161f8f9ad48fc39b24c1d8d0d5889e7d637594e8904de28134b677f1a003240c4f4df5f93c69f5805055
SHA1 hash: daa8f5b4aa6330289bc802c0fe38d541bc5572bc
MD5 hash: 4a6cdb0a5b956461c3766686317b8f77
humanhash: paris-east-cat-quiet
File name:Swift.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'342'976 bytes
First seen:2020-07-16 10:41:58 UTC
Last seen:2020-07-16 12:08:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:li2CSVq2s9p+meCCRM2xerGKPEtMIvNNlGNsw1N+hqjwq:LsLeHM2knEuEnlo1YIjwq
Threatray 778 similar samples on MalwareBazaar
TLSH C355073175C69524C5190739C079DCE0A364BE863BA2DB1F70DA0B4ABE437DFAB0616E
Reporter abuse_ch
Tags:exe geo isbank MassLogger TUR


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: ileti.isbank.com.tr
Sending IP: 45.138.172.58
From: Turkiye Is Bankasi A.S <bilgilendirme@ileti.isbank.com.tr>
Reply-To: Turkiye Is Bankasi A.S <bilgilendirme@ileti.isbank.com.tr>
Subject: Swift Mesajı
Attachment: Swift.r00 (contains "Swift.exe")

MassLogger SMTP exfil server:
mail.ashpraskills.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26701/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.XWA.5954.29712.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/389577
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Creates executable files without a name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246977 Sample: Swift.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 84 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected MassLogger RAT 2->37 39 .NET source code contains very large array initializations 2->39 41 Machine Learning detection for sample 2->41 7 Swift.exe 5 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 27 C:\Users\user\Desktop\.exe, PE32 7->27 dropped 29 C:\Users\user\Desktop\.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\Swift.exe.log, ASCII 7->31 dropped 33 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->33 dropped 49 Creates executable files without a name 7->49 15 cmd.exe 1 7->15         started        17 .exe 7->17         started        19 .exe 1 11->19         started        signatures5 process6 signatures7 22 reg.exe 1 1 15->22         started        25 conhost.exe 15->25         started        43 Multi AV Scanner detection for dropped file 19->43 45 Machine Learning detection for dropped file 19->45 process8 signatures9 47 Creates an autostart registry key pointing to binary in C:\Windows 22->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f9c8fddfe9fb02c88d8cdaea6efe3a1f88e56af6bb71161e30a1196a8cd8438/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 10:43:11 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6oi7xp6t6yczcgyzwxkn37duh4i4vvpno3rcypdbiiznkgnqq4a._file
Verdict:
unknown
Similar samples:
1b8896fd54694388ff37b36b54afce1e15e0a1297f7383b2c38317fc606adf36
MassLogger
1d9e325f6d234c3d212243a3924f25a2e4acce0db718c57a52480e6994b5e173
MassLogger
2485826ad6e01c5ae26b460a9152854b3a6780da46f4abbca35be5b0bd570eb3
MassLogger
553ee875b3fc39e67daff6b7ace6590da149818f31bc7f84bc115858d10ab4f9
MassLogger
5d0fe828d087e58c38d1724aeced199e4fb352535621e09ab4875a2f960ddabb
MassLogger
677906173148035544d96ed87acd962194baf88a2c5c6a33e2ad94a850a81835
MassLogger
90ff23943691446d2cf73e28cba8dcd44cc7dc2577cdca70caf839e2331b6447
MassLogger
92227e0112ce45a2da5a726b14a6b573781f3da9e420c952fd10f6b22ca9c2b2
MassLogger
e0b4bd94f0a84e21e5bd9c173ed19d44e1e1959ecf09f4b4e7ce047bf6c287e5
MassLogger
e52c7992ab1aa4ed8defe7e3cd4243f47d2c422cfb6ae78f1d360a763dbabb32
MassLogger
+ 768 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware persistence spyware stealer family:masslogger
Link:
https://tria.ge/reports/200716-l496kxwqdn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 8ebefae1632dfd2f86167d5f207fb074597faa5b2f7e45faed816fd90e3d0cec

MassLogger

Executable exe 9f9c8fddfe9fb02c88d8cdaea6efe3a1f88e56af6bb71161e30a1196a8cd8438

(this sample)

  
Dropped by
MD5 7617718a3a965f7a62868d52ce3579b1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26701/
  
Dropped by
SHA256 8ebefae1632dfd2f86167d5f207fb074597faa5b2f7e45faed816fd90e3d0cec

Comments