MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f
SHA3-384 hash: 39202a22975a82ed924d189d138e7cc0715d4eb62b75eaa8ab8e73aaa8ba64e883e6af65ecdd81e559c6168bdea9ceb0
SHA1 hash: 01da166b48252cfb52ad7b42730ec994f07c7db2
MD5 hash: 97edaeff8f726e10d554f8f8f5aad7ae
humanhash: mississippi-eleven-yellow-beer
File name:Document#0193832.exe
Download: download sample
Signature MassLogger
File size:1'188'864 bytes
First seen:2020-07-31 12:08:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 24576:ZlCrDcqxjnB1/8uXJZiIQhRWBf/SPXwJKHc9KH:uvcMjB1xKUBf/U8K89Q
TLSH 8F459B4026589B0FE34781B47467D2F18223D498EF62CE636D5FE5AB19E22FE3883157
Reporter @abuse_ch
Tags:exe MassLogger


Twitter
@abuse_ch
Malspam distributing MassLogger:

HELO: vip.friendtimes.net
Sending IP: 111.231.110.135
From: Barbara D. Larson <test@vip.friendtimes.net>
Reply-To: Barbara D. Larson <test@vip.friendtimes.net>
Subject: New order for item #410056077
Attachment: Certified check of 6500.rar (contains "Document#0193832.exe")

MassLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
31
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Result
Threat name:
MassLogger RAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 12:10:14 UTC
AV detection:
23 of 31 (74.19%)
Threat level
  5/5
Result
Malware family:
masslogger
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Threat name:
Kryptik
Score:
1.00

Yara Signatures


Rule name:masslogger_gcch
Author:govcert_ch
Rule name:win_masslogger_w0
Author:govcert_ch

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments