MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c93d6c966b427a7fbc632d2f6b39a09df059b56e0c4e4a307b0318c4198219c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c93d6c966b427a7fbc632d2f6b39a09df059b56e0c4e4a307b0318c4198219c5
SHA3-384 hash: adc64a85633c24fa096e67eed6c58fafc059ed3248d9454f38c78a7d05a058c63a31c0aaa8c7c69fdce60c42a41cfde5
SHA1 hash: 6de87116ef9838854e06db54a6b8c740e17efcd6
MD5 hash: 698ee13dea171710b6289ffe07947ae9
humanhash: carpet-potato-florida-twenty
File name:RFQ EA0903-18.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'276'416 bytes
First seen:2020-07-16 06:46:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Hi2CSVq2tecEChFZm8LbltfjLoA1TRRXAglVxvovRNKDtpaewDC:1LI83/rLoKXHlV8RNKRwRO
Threatray 871 similar samples on MalwareBazaar
TLSH B345293ABDC68424C46A0775C4699DC0B775A68A37A6CB1F34D703089E037EFFB0656A
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: iwsteel.com
Sending IP: 45.138.172.32
From: Hyun-Mi,Choi <marketing@iwsteel.com>
Reply-To: Hyun-Mi,Choi <marketing@iwsteel.com>
Subject: INQUIRY/RFQ FROM INTER WORLD STEEL.
Attachment: RFQ EA0903-18.r00 (contains "RFQ EA0903-18.exe")

MassLogger SMTP exfil server:
mail.alestayachting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.368.7479.11585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c93d6c966b427a7fbc632d2f6b39a09df059b56e0c4e4a307b0318c4198219c5/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 06:48:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ze6wzftlij5h7pddfuxwwonatxyftnlobrheumd3ammmigmcdhcq._file
Verdict:
unknown
Similar samples:
0785384b7bf97e6d74ac22ce8a6ba6cd629d858dd778928f6a4eac974c35cf61
MassLogger
12c7ff58c14c67fa84752c1b136860c7c621ccf8cd947183f6b1c918b4c8c737
MassLogger
2467434b0ac840b5f4dfa8ac3bc14ac9ee6004e7b71bfd3303ab62b6345f0c62
MassLogger
30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4
MassLogger
4193084a6eba68bbb6aef41ffc1f21685208c6b942de9e5853b70b04834c296e
MassLogger
540a1ab8a63b1b07ea3d80939868a94dafb79f6e2fc37a8a2cc22ded21c60deb
MassLogger
824f3b6b2f801742c68deb29ccf2347f591c5d04262dc1ad9efcb756be99ea25
MassLogger
d7269fff7321b7254a2a6ce7e6fb9b8347d73cb78597d73412b8d21344832e81
MassLogger
e3b22f7b9f72b19b41dfe024803aeeaa88d0072a3e10a5bea82413285721c91b
MassLogger
e9ca08e9192adcb0c65eae06bbc2ba1439b2615aeefee53a7cb26f15d691c071
MassLogger
+ 861 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger persistence
Link:
https://tria.ge/reports/200716-g4zzf55lw6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 cadea31a5b889c11ae20b3a63f17ff9ff02e69cc0df69bf81a894d22027543f1

MassLogger

Executable exe c93d6c966b427a7fbc632d2f6b39a09df059b56e0c4e4a307b0318c4198219c5

(this sample)

  
Dropped by
MD5 0e415a9f996a9b77edf0cc5a91d2aae4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26390/
  
Dropped by
SHA256 cadea31a5b889c11ae20b3a63f17ff9ff02e69cc0df69bf81a894d22027543f1

Comments