MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9
SHA3-384 hash: c9ca45d326be99b19551f601f3d807b3a151bde57bf4693fa7ff5f139a66b7b18fb62ad07067284f26df3234515292f8
SHA1 hash: cd7dc538b01dea63f5c619ebe4de89ba75b3a245
MD5 hash: 702a370d537ad9909efe4645ff854a3e
humanhash: nebraska-montana-robert-august
File name:OC_Y590382614.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'275'392 bytes
First seen:2020-08-04 15:20:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bae7147ec04d935db5914fb885560bb (11 x AgentTesla, 3 x MassLogger, 2 x AZORult)
ssdeep 24576:TetNafLLOM9QKlNwWBaWPtGxcObhS5sJPSZ/wv0NNnPjTYp:Te00Kl6WBJP0xcDYMNRPW
Threatray 2'123 similar samples on MalwareBazaar
TLSH BF45CE1EF3A24436D0B21EFD7C176FA7482E7DC919285A463BECEDCC4E386502994297
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hostingbahia3.com.ar
Sending IP: 216.144.253.162
From: Mariela Cortés <administracion@asociacionalborada.com.ar>
Subject: ORDEN DE COMPRA
Attachment: OC_Y590382614.cab (contains "OC_Y590382614.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38807/
Detection(s):
SecuriteInfo.com.Variant.Graftor.807433.11886.16799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Running batch commands
Deleting a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409677
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257102 Sample: OC_Y590382614.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 65 Yara detected MassLogger RAT 2->65 67 Yara detected AntiVM_3 2->67 69 Machine Learning detection for sample 2->69 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->71 14 OC_Y590382614.exe 2->14         started        process3 signatures4 89 Writes to foreign memory regions 14->89 91 Allocates memory in foreign processes 14->91 93 Queues an APC in another process (thread injection) 14->93 95 Contains functionality to detect sleep reduction / modifications 14->95 17 notepad.exe 4 14->17         started        process5 file6 61 C:\Users\user\AppData\Roaming\...\app.exe, PE32 17->61 dropped 63 C:\Users\user\...\app.exe:Zone.Identifier, ASCII 17->63 dropped 73 Creates files in alternative data streams (ADS) 17->73 21 app.exe 17->21         started        signatures7 process8 signatures9 75 Detected unpacking (changes PE section rights) 21->75 77 Detected unpacking (overwrites its own PE header) 21->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->79 81 3 other signatures 21->81 24 app.exe 21->24         started        26 app.exe 3 21->26         started        process10 process11 28 app.exe 24->28         started        31 cmd.exe 1 26->31         started        signatures12 87 Maps a DLL or memory area into another process 28->87 33 app.exe 28->33         started        35 app.exe 2 28->35         started        37 powershell.exe 19 31->37         started        39 conhost.exe 31->39         started        process13 process14 41 app.exe 33->41         started        44 cmd.exe 1 35->44         started        signatures15 85 Maps a DLL or memory area into another process 41->85 46 app.exe 41->46         started        48 app.exe 41->48         started        50 powershell.exe 18 44->50         started        52 conhost.exe 44->52         started        process16 process17 54 app.exe 46->54         started        57 cmd.exe 48->57         started        signatures18 83 Maps a DLL or memory area into another process 54->83 59 conhost.exe 57->59         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 15:22:07 UTC
AV detection:
39 of 48 (81.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4qcvsinvjowszzwumxp6letb25aqmzmsqlp62sgjtr6uf7uct4q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
2c7ac0a31c8828ec11ad0c9dd80f8809fb1248f5c36b6b34d8c9974aa8ecaa06
MassLogger
3d0af7312beff6b913ae04b6c6b3f9aac323308a1933952d1c8bd732fdf290ce
MassLogger
5bcbbf82aa7c1bde8cddd6a6d50b4b082555ddb0dd23dd468ef238850238ed2a
MassLogger
5c6a46b8db4713a9679ae9b069515a45d73088d55555111f5f1114af921eabdc
MassLogger
785b500d98d194c034b9c371eee464210f08aae5d83829c6262b713c3bb57a6e
MassLogger
987e0b5d35a989d7eff88f7aed06a643e18d500266871e9e1cb901ed8f3d484a
MassLogger
a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7
MassLogger
a9f8d8a5503dca2d63d36e17041e6d065a6bf7bad41c000dd6d5a1e73d18d786
MassLogger
b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31
MassLogger
fa473a9f7280e22e757799c9d18a21bded2f5500a47063e926105db33e77b4f8
MassLogger
+ 2'113 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware upx spyware stealer family:masslogger
Link:
https://tria.ge/reports/200804-gmvnet5v1e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Loads dropped DLL
UPX packed file
Executes dropped EXE
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

cab e6cea01a5e317f5535b6c16129dab30db14fe935f7c58f08e5c5a11ea4a22081

MassLogger

Executable exe c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9

(this sample)

  
Dropped by
MD5 762593d2bebea06a7077b3462225280a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38807/
  
Dropped by
SHA256 e6cea01a5e317f5535b6c16129dab30db14fe935f7c58f08e5c5a11ea4a22081

Comments