MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23
SHA3-384 hash: c93560d51dd9569e3f1a938944acc34f3004308693d24a623748df775b00b9397938147c11c934fa7f44c02467ee1e27
SHA1 hash: 81443874dc7ac6cb16786f2c8779d823e13986dc
MD5 hash: 8c2ae0a1d14cda74ddc4309b46fee9a3
humanhash: muppet-december-romeo-delaware
File name:DHL Shipping Documents.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:2'114'560 bytes
First seen:2020-06-16 12:59:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:gh+ZkldoPK8YaphcZC/cSsKtOz2QF1n8m7ZfBX:B2cPK81XcnKtMBnNNB
Threatray 1'224 similar samples on MalwareBazaar
TLSH 0EA5E00273929036FFAF92735B6AB20556BCA9250123853F13981DB9BD701B12E7D26F
Reporter abuse_ch
Tags:DHL exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: slot0.signform-pl.me
Sending IP: 45.95.169.216
From: DHL EXPRESS<szr.pavlinji@neobee.net>
Reply-To: <info@dormak.com.tr>
Subject: Re: RE: URGENT::::DHL tracking no 4680921932
Attachment: DHL Shipping Documents.zip (contains "DHL Shipping Documents.exe")

MassLogger SMTP exfil server:
mail.elkat.com.my:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10999/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Occamy
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 13:01:09 UTC
AV detection:
28 of 30 (93.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3d2cepkxusk4bf2b72zbuxroycbdehjyu57fjjgswsyupwhgxqrq._file
Verdict:
malicious
Similar samples:
08ee9ac3d7281eb7feb916d7e49d8b178ea88f69a2eb17b317f1e32842e89382
MassLogger
204ea760ae22f10f6a9cb8b3ca42d5386ee9a833d475443e3bb99de6896e2540
MassLogger
25cad7bf759140fbbc572d967d517061b707470e921cd4535cc0d826f5d64416
MassLogger
3142e234938b7d0d3bccb3faada5555b00f9e5d8fe9fc7dba7efe07ae03e4d99
MassLogger
4c5881962cffc89a01446fe5cfaa1c5f5a42c29c2ec1b75f9dd10232434e9986
MassLogger
60464dbfb4a5cb7227d3afe20367adb84757365e1b9a466ef95c0c96c28b31cf
MassLogger
6d430704bd3c6594f4732ec7e0f4bc0b899e93ac4d82d7f32da912dc6bdb9c35
MassLogger
83b37e01d5d48f6a7bc0557863a4e91e84dfc8a1e721850ea265f78cbd6d275a
MassLogger
8f5a34f80165dd3b125af00e0f799000581693356c589931ac12a3eca44dba2d
MassLogger
ebc70b3a49276d78bea1209073f9855253b5110034c8159c704dde0ebd248008
MassLogger
+ 1'214 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger
Link:
https://tria.ge/reports/200624-vzsw6fndtj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Looks up external IP address via web service
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 6097f132b4a98062dbb7ea2302774344f1b004043e5771ffa64a34dffd4830de

MassLogger

Executable exe d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23

(this sample)

  
Dropped by
MD5 8a1e0fb720c78b0b65ce416e5ec6cf3e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6097f132b4a98062dbb7ea2302774344f1b004043e5771ffa64a34dffd4830de
Cape
Cape
https://www.capesandbox.com/analysis/10999/

Comments