MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de7e69ec920dccdc40220e414a2d1b3bc05e53c5f5ea34e309bd3365aa5dae78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: de7e69ec920dccdc40220e414a2d1b3bc05e53c5f5ea34e309bd3365aa5dae78
SHA3-384 hash: d96b5e5c023cce56dbb0bc7061466f051ab1cb7ca0c1150d31f659f7477edc28aca26a07c60a788e7e2aebcb8d69b753
SHA1 hash: df7966c6dda6c785ad4bcf5b7a49f0a99a9bc51e
MD5 hash: 93a02efc3319e40884d86f0603d6073d
humanhash: oxygen-jig-saturn-seventeen
File name:Q2020-07-466am.exe
Download: download sample
Signature MassLogger
File size:1'440'256 bytes
First seen:2020-07-31 10:16:19 UTC
Last seen:2020-07-31 11:08:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:gHX8kTaa4C/vW/R7h2Iq2oJUadK0RXgJ3ukGHN5uKyOtTiZfhz:gHLTEJ9rqUozRlkGLuKyYTQ
TLSH 8D653A3E38834514C969463580289AC1BAE1A74B3B62CB5DE1EF134F5F03B6B7B560DE
Reporter @abuse_ch
Tags:exe MassLogger


Twitter
@abuse_ch
Malspam distributing MassLogger:

HELO: mexportools.mx
Sending IP: 37.49.230.253
From: Eduardo Malato <eduardo.malato@mexportools.mx>
Subject: RE: Q2020-07-466am
Attachment: Q2020-07-466am.iso (contains "Q2020-07-466am.exe")

MassLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence


File Origin
# of uploads :
2
# of downloads :
32
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Detection:
MassLogger
Result
Threat name:
MassLogger RAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
66 / 100
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Found malware configuration
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255289 Sample: Q2020-07-466am.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 66 38 g.msn.com 2->38 40 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->40 42 Found malware configuration 2->42 44 Yara detected MassLogger RAT 2->44 46 Sigma detected: Add file from suspicious location to autostart registry 2->46 48 3 other signatures 2->48 8 Q2020-07-466am.exe 7 2->8         started        11 pcalua.exe 1 1 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\Roaming\chulo.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->30 dropped 13 chulo.exe 3 8->13         started        15 cmd.exe 1 8->15         started        process6 process7 17 InstallUtil.exe 15 5 13->17         started        22 reg.exe 1 1 15->22         started        24 conhost.exe 15->24         started        dnsIp8 32 mail.privateemail.com 198.54.122.60, 49740, 587 NAMECHEAP-NETUS United States 17->32 34 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.66.103, 49739, 80 AMAZON-AESUS United States 17->34 36 2 other IPs or domains 17->36 26 C:\Users\user\AppData\Local\Temp\...\Log.txt, ASCII 17->26 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->50 52 Tries to steal Mail credentials (via file access) 17->52 54 Creates an autostart registry key pointing to binary in C:\Windows 22->54 file9 signatures10
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 10:18:09 UTC
AV detection:
15 of 31 (48.39%)
Threat level
  5/5
Result
Malware family:
masslogger
Score:
  10/10
Tags:
ransomware persistence spyware stealer family:masslogger
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
MassLogger log file
MassLogger
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:masslogger_gcch
Author:govcert_ch
Rule name:win_masslogger_w0
Author:govcert_ch

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe de7e69ec920dccdc40220e414a2d1b3bc05e53c5f5ea34e309bd3365aa5dae78

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments