MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de00e60ea65a5c4f7804c137b07d6973bdf8fc17ca192035b7976362e978a8d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	de00e60ea65a5c4f7804c137b07d6973bdf8fc17ca192035b7976362e978a8d2
SHA3-384 hash:	5f17f4e6f736117252f321f60e745222a61c1acb77057472c266555dd9a6b41e981a664d8fc00a26a0c82daab3a873df
SHA1 hash:	23b090662b3deaadf4e1db64849f8eee06e18a36
MD5 hash:	930f62764aa710a930de8d85abb9f25f
humanhash:	tango-high-item-skylark
File name:	New Inquiry-08312020.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'213'952 bytes
First seen:	2020-08-31 10:57:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:1a7SQTSs3JfUBwSO7sCOHPAvEajjV03ff:2S6fUBAsLPdajji
Threatray	372 similar samples on MalwareBazaar
TLSH	0845B085030C7FDFD4563AB42C6199A800BAAFD4E734E148FD07326685B3B5E775E88A
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: tcfs.net.in
Sending IP: 92.223.93.162
From: Wong Jeong <sales@tcfs.net.in>
Subject: Returned payment
Attachment: Returned payment.rar (contains "New Inquiry-08312020.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/455296

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de00e60ea65a5c4f7804c137b07d6973bdf8fc17ca192035b7976362e978a8d2/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-31 00:53:20 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3yaomdvgljoe66aeye33a7ljoo67r7axzimsannxs5rwf2lyvdja._file

Verdict:

unknown

Similar samples:

04803c612483d76474860d5942b69d5ee3a68987a258b76283d60b345c188c62

04bc203b9c68d45a74189f7a7bc180fe4fe0304583fae10dee4b036a66e54437

275559f7e9052564ecacedb07b93ea0e552fe3cf4d5b3bbf315e1494efd712e2

527bf96dc4d090f961c250f7c6411f477acfafcea3a80e83f4f567a0d497f632

640e087a78aa77a9bb49027500f1f29f9d31f5b64c13c99b690ea813d0737fd4

ae8a8ca63a358e0c9cd1ce5100464f1c1dbd2b7724632fffc5e15152c67dc6fb

b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f

b9b823a4a7732af045884bac1c801b2924521291e92157c7e90ed573f1236f54

dd5712ad571847f064a5dfcd49ee82e3d2b42959bef23a773512dc41af030f6e

e847719a98762bcf7422064186c2cdbb2f58000622448c3adcb6769b7cfbea68

+ 362 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200831-pc2lkdsgrs/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Drops file in Windows directory

Looks up external IP address via web service

Looks up external IP address via web service

Reads user/profile data of web browsers

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de00e60ea65a5c4f7804c137b07d6973bdf8fc17ca192035b7976362e978a8d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 6ffbfca3e36e74a94ea243cac278f061a29d443eb89f7ffae98c38f487549b3b

exe de00e60ea65a5c4f7804c137b07d6973bdf8fc17ca192035b7976362e978a8d2

(this sample)

Dropped by

MD5 e1619365c4d254b193df99665d17b1c7

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/53423/

Dropped by

SHA256 6ffbfca3e36e74a94ea243cac278f061a29d443eb89f7ffae98c38f487549b3b

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample