MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef30ffc2d3ba3ec27cfaee6dd4e86f0fa4e2c8799e341affa924e0763d51ed1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	ef30ffc2d3ba3ec27cfaee6dd4e86f0fa4e2c8799e341affa924e0763d51ed1a
SHA3-384 hash:	5e52c8333605a7b47081c6c6c8e5e5f525ef838792ae503767bd85f96ff40bb9872faf90b32d107d62dd5aae2cedf662
SHA1 hash:	9702a0f0f06d893d900402344d1616b8eeed86cc
MD5 hash:	cd43c1409987ea30440112f44b07038a
humanhash:	lemon-happy-red-magnesium
File name:	PO7562201.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	911'872 bytes
First seen:	2020-08-05 12:09:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:RL1Br+F1AaZHB07hg4PSjJihftaW9wNIYzs9ORqIfiKLNhVLK9gLONeYe3Q2yfN+:N1Zraf0hRHhVaW98zNfnDOM3fs6r
Threatray	711 similar samples on MalwareBazaar
TLSH	B115DF1F31D51A88F9AD9EFF5D3518E38F27F89FC62294973621506A00FA148B929F18
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: server.accountpdd.life
Sending IP: 89.41.26.168
From: Qing <johncarlos@proradiocomm.com>
Subject: Re :Re :New Order PO7562201
Attachment: PO7562201.gz (contains "PO7562201.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39554/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.12087.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/411185

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef30ffc2d3ba3ec27cfaee6dd4e86f0fa4e2c8799e341affa924e0763d51ed1a/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-05 12:11:12 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=54yp7qwtxi7me7h25zw5j2dpb6sofsdzty2bv75jetqhmpkr5una._file

Verdict:

unknown

MassLogger

1c989f633edcaea6e97a4a96f8a1f9ed19d54ed109cfaf1053a67dc48d28fd52

MassLogger

262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541

MassLogger

7cfa62ab7a592f04b4268ad35e2a90739666f9d5e91eaa5808dd8ba11239f43d

MassLogger

89af10238032ab225e998887850c3910abd7183e67018abfe56b0bdebf2d50d9

MassLogger

8e86d9234855b1ecd39a173027ac4486f443b4eb1896e28e8b2e79212107e762

MassLogger

9dfba413d306830589105d96b90b5ea870b1975bd371350635ea1c2b591bcbd8

MassLogger

a8a2e34c6f491ba5d0f16899835630257c0124249fd1d0852b27e736b2a98b3d

MassLogger

cf9aa52cd8829760f779772b7b483ff039100b5d6311c85f969553b6ce66d58b

MassLogger

e387e96aeb069a6060b78456f7cac7be958a23a617ef2b6adc6caf3db23ce8b4

MassLogger

+ 701 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200805-tr7xz4qha6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef30ffc2d3ba3ec27cfaee6dd4e86f0fa4e2c8799e341affa924e0763d51ed1a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz 5024d7052a08cb4612a33edbadd6cfb5f52699dd0e3f77f86bd1aeb751f8fad2

MassLogger

exe ef30ffc2d3ba3ec27cfaee6dd4e86f0fa4e2c8799e341affa924e0763d51ed1a

(this sample)

Dropped by

MD5 a389e6c1383812a2222d986823223a3a

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5024d7052a08cb4612a33edbadd6cfb5f52699dd0e3f77f86bd1aeb751f8fad2

Cape

https://www.capesandbox.com/analysis/39554/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample