MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9787a5aeefa1606bd166b54177d9f685dd01f03632ff9f3952909193c657028. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	c9787a5aeefa1606bd166b54177d9f685dd01f03632ff9f3952909193c657028
SHA3-384 hash:	9d9cbc8e42d5e65fb60de1b6aa1fd4b2026e54542ee0d1753c05d60d0467f7dae971289e8c3ea134813eac6f6204868d
SHA1 hash:	56eba5c41aa2a88480834f37393e397d3e6260c8
MD5 hash:	8aa67c5024bfee5226d38305f3736291
humanhash:	muppet-arkansas-sweet-pasta
File name:	Peace Transit Order 1670.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	942'080 bytes
First seen:	2020-08-05 08:23:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:3HqpFpaWAmyKNY6AL8uZsHDkaWb8OGRgLof8eqd:3qhs3KIL84sHQai4RV8
Threatray	718 similar samples on MalwareBazaar
TLSH	8715F10C26909174F26A0D3E9C750087DE1AED0B99E6A57F2A753E68C1FD14FAC21FE4
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: TC1.tandaocommerce.com
Sending IP: 68.169.59.190
From: ventas2@indumagsrl.com.ar
Subject: New Purchase Order Peace Logistics / Transit
Attachment: Peace Transit Order 1670.zip (contains "Peace Transit Order 1670.exe")

MassLogger SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39188/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.7853.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/410546

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9787a5aeefa1606bd166b54177d9f685dd01f03632ff9f3952909193c657028/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-05 04:46:47 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zf4huwxo7ilanpiwnnkbo7m7nbo5ahydmmx7t44vfeerspdfoaua._file

Verdict:

unknown

MassLogger

1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769

MassLogger

23eb05b6df962a953c50eabb579e6a0a9358ca3f1a6319b9a98bbdb0be4ed611

MassLogger

271ae8f2104165d934488b9888b1fdcf6d6ec9a2263a603270ac9098f5d27323

MassLogger

961ca60cc81e38eacdf3197954394b03430b09a5613db567adfab92a3a718d0b

MassLogger

a13424875703c2b22381b0f2db797498bca3ac5b677e2e30ae3441aeff6b9e0e

MassLogger

a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

MassLogger

a9f8d8a5503dca2d63d36e17041e6d065a6bf7bad41c000dd6d5a1e73d18d786

MassLogger

ebcea3b90af00f67983ebb15abec7e46a480818904a74764aab402da08d7b16b

MassLogger

fc0bbe3c37a9d40c7cefaa4b5ec668b1b9513815dfbb73eaf1d3f4d8a56e0edc

MassLogger

+ 708 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200805-n37nxmy9vx/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/c9787a5aeefa1606bd166b54177d9f685dd01f03632ff9f3952909193c657028

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.