MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cce8a02cb6b4a8e601af123a1ec418b1ed77228e3929121f9c3b42eda67b8d17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cce8a02cb6b4a8e601af123a1ec418b1ed77228e3929121f9c3b42eda67b8d17
SHA3-384 hash: 766a83d13601240881b1c00143636e32d99b4c4221e2aae8e3d56fe5ad2b1070943d373449fa7f939b50072c70fe1d46
SHA1 hash: e323fb09365e3fab4ecf8bdee5d9c8d42375fd56
MD5 hash: b48cda1ebc473b97956ea5c7621322c2
humanhash: two-william-comet-freddie
File name:Our New Order August 17 2020 at 2.99_PVV440_PDF.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:659'968 bytes
First seen:2020-08-19 09:18:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DM0Z1C+W5bHGFeeBPuN6sW8D89//3Tt5uP6B5nsTUAnTBYa6ei4pk:Y0rjAiBWN6sW8D89//3TPtf25J/iGk
Threatray 653 similar samples on MalwareBazaar
TLSH 9FE412A362CA6626D17A35334371A7054BE687561123C33BF89F13970F23BFE9451AC5
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: hosting4.kmtiendas.com
Sending IP: 37.152.93.84
From: Jana Azih <jana.azih@getinge.com>
Subject: RE: AW: Our New Order/Enquiry No.00127
Attachment: Our New Order August 17 2020 at 2.99_PVV440_PDF.img (contains "Our New Order August 17 2020 at 2.99_PVV440_PDF.exe")

MassLogger SMTP exfil server:
mail.copyrap.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48327/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Deleting a recently created file
Sending a custom TCP request
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/437224
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cce8a02cb6b4a8e601af123a1ec418b1ed77228e3929121f9c3b42eda67b8d17/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 23:06:21 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztukalfwwsuomanpci5b5raywhwxoiuoheureh44hnbo3jt3rulq._file
Verdict:
malicious
Similar samples:
13af67261cdde6647fc4c1669ced247f69a2e03b08e62dfea53a3af3d4a867da
MassLogger
2c7ac0a31c8828ec11ad0c9dd80f8809fb1248f5c36b6b34d8c9974aa8ecaa06
MassLogger
45eac93db3a0554afa555fdfced45c8bd9d5c973d05f3e4b40219be984dd0d28
MassLogger
7080b4b381aa5445667f682c0b6d8a7651dfbf8c07383f9796ffd8558e506338
MassLogger
987e0b5d35a989d7eff88f7aed06a643e18d500266871e9e1cb901ed8f3d484a
MassLogger
9b8c523e9a551600cec0e653e4c8085dcf1b4a7e77559a903e64e7f1aa659223
MassLogger
a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4
MassLogger
a9f8d8a5503dca2d63d36e17041e6d065a6bf7bad41c000dd6d5a1e73d18d786
MassLogger
b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31
MassLogger
c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9
MassLogger
+ 643 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200819-xy4hscrzv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

img 51b498cc29faaf1de9b608530c8e0ee0029c333a17326ed5b95ea482d68b6df6

MassLogger

Executable exe cce8a02cb6b4a8e601af123a1ec418b1ed77228e3929121f9c3b42eda67b8d17

(this sample)

  
Dropped by
MD5 f6c08173fb70fa952800f024ce902ef1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48327/
  
Dropped by
SHA256 51b498cc29faaf1de9b608530c8e0ee0029c333a17326ed5b95ea482d68b6df6

Comments