MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce41031b56cdb4cf97a4c9e24b14ffd16672719457b5a394daa7a4ccb91591bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce41031b56cdb4cf97a4c9e24b14ffd16672719457b5a394daa7a4ccb91591bf
SHA3-384 hash: 7152fa6f5876353f62d8b7a74b7b15fed68958b059cda4bd29851d88c034768d83f269f9a8b4465c84d92c86ebe88004
SHA1 hash: 0c32494e1b87f373392ae969b756947337771d0c
MD5 hash: fb20c05f12476e883d941268d6ff7ff8
humanhash: lemon-jersey-ceiling-nebraska
File name:order 2020.pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:880'128 bytes
First seen:2020-08-05 09:30:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:cx6Ap2bza4gFk55SiJr+7+GwGWhOdhrdJBWIoplUbL/WKmHv:c6zwFk6iJq+Gw1EJbjocOK
Threatray 692 similar samples on MalwareBazaar
TLSH B815121D36909149FABF1E3F6D3041A38E25F84F9E66C24B29B11179487E24CBDA1F62
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: archway-engineering.com
Sending IP: 156.96.156.165
From: Ashley Jackson <ashley.jackson@archway-engineering.com>
Subject: RE: RE: RE: RE:New Order
Attachment: order 2020.pdf.z (contains "order 2020.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39366/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.10805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410859
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257757 Sample: order 2020.pdf.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 Yara detected MassLogger RAT 2->37 39 Sigma detected: Suspicious Double Extension 2->39 41 8 other signatures 2->41 8 order 2020.pdf.exe 5 2->8         started        process3 file4 27 C:\Users\user\AppData\...\uSRQyICPZwKer.exe, PE32 8->27 dropped 29 C:\...\uSRQyICPZwKer.exe:Zone.Identifier, ASCII 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmp8875.tmp, XML 8->31 dropped 33 C:\Users\user\...\order 2020.pdf.exe.log, ASCII 8->33 dropped 45 Injects a PE file into a foreign processes 8->45 12 order 2020.pdf.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        16 order 2020.pdf.exe 8->16         started        signatures5 process6 process7 18 cmd.exe 1 12->18         started        20 conhost.exe 14->20         started        process8 22 powershell.exe 17 18->22         started        25 conhost.exe 18->25         started        signatures9 43 Deletes itself after installation 22->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce41031b56cdb4cf97a4c9e24b14ffd16672719457b5a394daa7a4ccb91591bf/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 07:32:10 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzaqgg2wzw2m7f5ezhrewfh72fthe4muk622hfg2u6smzoivsg7q._file
Verdict:
unknown
Similar samples:
1872a9eaa84a2a54125c3d8e5196f998808f808942c69192340e731a58ff971f
MassLogger
20ec6cdb323f2e2eea0bfb107e820a079a41a3fc6afdf8378de930d7aa7b4160
MassLogger
2793ca2b4f702f2ddfcaeb0ccde6700da8b215b9894cf72adbece6a4d57a8e67
MassLogger
2a1b3187f7000dfb10dff758fe598e73e58d6864c5a4579e7c35acd88314ca20
MassLogger
2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce
MassLogger
49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251
MassLogger
4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea
MassLogger
8f8324aa2244c6ecc4369ef6e5ea25b405ecf48aef96e34cc04c56f6ad240ade
MassLogger
a13424875703c2b22381b0f2db797498bca3ac5b677e2e30ae3441aeff6b9e0e
MassLogger
bbf5829871a9c0e6348a4cbab3327df93fd5196b611afafef770cf85e85bfd6c
MassLogger
+ 682 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200805-ne642r7ema/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ce41031b56cdb4cf97a4c9e24b14ffd16672719457b5a394daa7a4ccb91591bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 2b28effca2feb3231324016122924a7873e11d4b0bc3a45467c645d2a73b0d48

MassLogger

Executable exe ce41031b56cdb4cf97a4c9e24b14ffd16672719457b5a394daa7a4ccb91591bf

(this sample)

  
Dropped by
MD5 0a4b2abdec7a18d23383cdc2dea90506
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2b28effca2feb3231324016122924a7873e11d4b0bc3a45467c645d2a73b0d48
Cape
Cape
https://www.capesandbox.com/analysis/39366/

Comments