MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed23e691927f32d5c2d18f5b763fcc71fa62c6150233b1dbcf967d13521ef8f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ed23e691927f32d5c2d18f5b763fcc71fa62c6150233b1dbcf967d13521ef8f6
SHA3-384 hash:	04b91a6fc6a21c2906fb0e947cc7a36fad6900660c6ea0974fc12302151c346c1a42c00ac96cddd0d36a83a0de535039
SHA1 hash:	d40bcc45c638bef0f43dd8e33971a4f90956b6f9
MD5 hash:	a2c75cedd6deb53d4ca5508e87e15eed
humanhash:	princess-diet-bacon-lake
File name:	PO ORDER.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	931'840 bytes
First seen:	2020-08-14 10:13:21 UTC
Last seen:	2020-08-14 11:01:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:9O0MR5uNf2ZHiAxhPxGR46jRB4KZXWHl5fHaBavhj:9O0Mfu0RiAxhpMhX4WX0fH+Ix
Threatray	457 similar samples on MalwareBazaar
TLSH	4F15123E52F1D404C03BF13E91691086B2EBEC9B1894C70A79EC1DE40E256E65A6BDFD
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: jax4mhfb02.myregisteredsite.com
Sending IP: 64.69.218.95
From: Muhammad Shafi <osamah@horizons.us.com>
Reply-To: Muhammad Shafi <osamah@horizons.us.com>
Subject: PO order NO : 00181356-1074
Attachment: PO ORDER.rar (contains "PO ORDER.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45791/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.4036.20359.11111.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/429398

Signature

Binary contains a suspicious time stamp

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ed23e691927f32d5c2d18f5b763fcc71fa62c6150233b1dbcf967d13521ef8f6/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-14 10:15:13 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ur6nemsp4znlqwrr5nxmp6moh5gfrqvaiz3dw6psz6rguq67d3a._file

Verdict:

malicious

Similar samples:

01c68fa90d6ec7b0435b4aa331d485c893c06ccc6809a6fa26647086acca9ab8

08ee9ac3d7281eb7feb916d7e49d8b178ea88f69a2eb17b317f1e32842e89382

3142e234938b7d0d3bccb3faada5555b00f9e5d8fe9fc7dba7efe07ae03e4d99

60464dbfb4a5cb7227d3afe20367adb84757365e1b9a466ef95c0c96c28b31cf

6477024ed851023f3d69427ca14e9744d5cc6401daae7566dbbe6732788e721e

6d430704bd3c6594f4732ec7e0f4bc0b899e93ac4d82d7f32da912dc6bdb9c35

6ee9c2dbb4e02add4966f1a720be2c6dd22cb0088fff92aa0e9a6b4d91e85b67

82c58393e0d855e14a9a3dadf046d823134e3d65c098146c9689df121739334b

d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23

ebc70b3a49276d78bea1209073f9855253b5110034c8159c704dde0ebd248008

+ 447 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200814-gayhk3aqnn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/ed23e691927f32d5c2d18f5b763fcc71fa62c6150233b1dbcf967d13521ef8f6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 07260bae8062330a1a42e28f0791ef86676000dbc4499d657ba91a662829cce4

exe ed23e691927f32d5c2d18f5b763fcc71fa62c6150233b1dbcf967d13521ef8f6

(this sample)

Dropped by

MD5 8e54371b1e0678df3c185c9197a2aaa6

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/45791/

Dropped by

SHA256 07260bae8062330a1a42e28f0791ef86676000dbc4499d657ba91a662829cce4

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample