MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053
SHA3-384 hash: 6a9fae6d77c7f07367118f84b86bbdd69430d3c3ff0e1835feb4aeb640f593c8cd2c48b9565d70e97db4205552d933c1
SHA1 hash: 28c80b4151a987f318d6faae6bf19d9566c3cc75
MD5 hash: f013528fbca058469f52035d94bea1af
humanhash: hot-tango-lamp-virginia
File name:company letter_pdf_______________________________________.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'799'168 bytes
First seen:2020-07-21 06:46:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 49152:WN3Q0Q+uVQROZ5baE301vwHurRZRSLLC1:KA0Q+uaROZ5N6wH4hSLLC
Threatray 538 similar samples on MalwareBazaar
TLSH CF850154D3F846DAE7BB57BDE46000008774B916ABEAE7991B81F0ED1C223618B53F63
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: auto-deal.gr
Sending IP: 209.58.149.66
From: CATHERINE<xasapi@auto-deal.gr>
Subject: RE: REQUEST FOR QOUTATION
Attachment: company letter_pdf_______________________________________.gz (contains "company letter_pdf_______________________________________.exe")

MassLogger SMTP exfil server:
smtp.dachanq.cc:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
MassLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29738/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.60237.7895.29713.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% subdirectories
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading Telegram data
Moving a file to the %temp% subdirectory
Reading critical registry keys
Sending a custom TCP request
Deleting a recently created file
Creating a window
Setting a global event handler for the keyboard
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 06:47:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrsxd7kegygh3duxoguapqerj5az3r64ngsdwr23kn2ijinkkbjq._file
Verdict:
malicious
Similar samples:
10eead56b5d7413b12b1fd1a4bf63dba2fa8995dad47d9a29577efd98264247a
MassLogger
218ab0970b729fe790515e64e9eab88b22893c7cac5594bd6d81b16e2245dcb4
MassLogger
5415e279ac5674de2c5ff76fac550a2588d156b59888c207f48bf81da76729b8
MassLogger
5c5408db84b06949b9aae7b528ad603bf17615ceac0aba3cd79cc92ed77b8163
MassLogger
7d95d648a3a6f221f5b9833c631e3a009454a0209666b717e091bf1886c995a2
MassLogger
8707af08ec5c7b76ea40346f7b62861080f534fc2438a30cda18260563a7c16e
MassLogger
9bd6661010ba5518e4db4cd619eb805765e72d5923065fbb46e4c48a6db7e631
MassLogger
a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3
MassLogger
b1f60766fb1c9d311d8200f0d45898156f6ce60e9db644032731e9284bf1c552
MassLogger
daa21287c64f4ddf57136d013858af29aaa8ad92ee7d7cde68531f0b5979c55d
MassLogger
+ 528 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200721-z7vb9nqt5s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz e6d6efece3b8baf2d0373c8adc270be90e9e6d48ffdf6c3253646075dd4c2fdc

MassLogger

Executable exe b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053

(this sample)

  
Dropped by
MD5 20d5d1903fe7b2f11ee6e0736f1d657d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29738/
  
Dropped by
SHA256 e6d6efece3b8baf2d0373c8adc270be90e9e6d48ffdf6c3253646075dd4c2fdc

Comments