MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0728fd4058762cdab5e5366f0e353fc86437707048e0a5a915a1d2c433a67c7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0728fd4058762cdab5e5366f0e353fc86437707048e0a5a915a1d2c433a67c7c
SHA3-384 hash: f51344341e16267ded6d074b05fe29b8f1fbe1095a51ccd9b4f9eea43466c56ceef5591b854e464f2592369c27fbe2c5
SHA1 hash: be1a3ad589f9ec581470ed9a91cdfc950df37b1a
MD5 hash: 436f1f00588b42189b6f818fa15af051
humanhash: florida-sierra-winter-earth
File name:Machine drawing.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'232'896 bytes
First seen:2020-11-19 07:20:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Slx9ObBlaCoJbm526rSGdHm+arb0JaqNnPmOUFP43iNGG:uGG
Threatray 539 similar samples on MalwareBazaar
TLSH 87454AF4A1AB24D1F61F853696ADBD9402B2B2D79FC37948633DE2700BB26627F0450D
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: vps-3871858.yjara.com
Sending IP: 162.241.101.217
From: RMS Machinery <rudy@rmsmachinery.com>
Reply-To: info@miabasto.com
Subject: Request for Machine Quotation (Michigan Project)
Attachment: Machine drawing.img (contains "Machine drawing.exe")

MassLogger SMTP exfil server:
bh-58.webhostbox.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Result
Gathering data
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/542355
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320273 Sample: Machine drawing.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 88 42 Yara detected MassLogger RAT 2->42 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->44 46 May check the online IP address of the machine 2->46 48 5 other signatures 2->48 8 Machine drawing.exe 1 4 2->8         started        12 firefoc.exe 2->12         started        14 firefoc.exe 2->14         started        process3 file4 24 C:\Users\user\AppData\Roaming\...\firefoc.exe, PE32 8->24 dropped 26 C:\Users\user\...\firefoc.exe:Zone.Identifier, ASCII 8->26 dropped 28 C:\Users\user\...\Machine drawing.exe.log, ASCII 8->28 dropped 50 Injects a PE file into a foreign processes 8->50 16 Machine drawing.exe 15 2 8->16         started        signatures5 process6 dnsIp7 30 bh-58.webhostbox.net 199.79.63.24, 49762, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->30 32 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.169.28, 49759, 80 AMAZON-AESUS United States 16->32 34 2 other IPs or domains 16->34 36 Tries to steal Mail credentials (via file access) 16->36 38 Tries to harvest and steal browser information (history, passwords, etc) 16->38 40 Adds a directory exclusion to Windows Defender 16->40 20 powershell.exe 11 16->20         started        signatures8 process9 process10 22 conhost.exe 20->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0728fd4058762cdab5e5366f0e353fc86437707048e0a5a915a1d2c433a67c7c/
Threat name:
ByteCode-MSIL.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 07:21:06 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4up2qcyoywnvnpfgzxq4nj7zbsdo4dqjdqklkivuhjmim5gpr6a._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
116ea34f9e2aba532b39a48d0612f43632afea0039478a6d522e5f9c66141c1b
MassLogger
5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99
MassLogger
7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5
MassLogger
8bd39d451b99909467edb3df6618762071da426ee580108882e300cf8b21b0cb
MassLogger
9b19c9209b2ae45df8c1d9d9f9b4e00f3d6c9edfb4ff64578d06a5a3f0a099e2
MassLogger
9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3
MassLogger
bc0af8fda43937d6a0d717e5be51d3f5a51a67077bc8ca85f031fa5bc08d165a
MassLogger
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
MassLogger
ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d
MassLogger
f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45
MassLogger
+ 529 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201119-tba7de3ebn/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
0728fd4058762cdab5e5366f0e353fc86437707048e0a5a915a1d2c433a67c7c
MD5 hash:
436f1f00588b42189b6f818fa15af051
SHA1 hash:
be1a3ad589f9ec581470ed9a91cdfc950df37b1a
Link:
https://www.unpac.me/results/f8f8df8f-ac47-48d7-9a64-3d43aac3ceb2/
SH256 hash:
9f244791ff6ba77306eec46701e9eb6ef149a550d439f3b94708c054dcb40598
MD5 hash:
df40a4131cc4900ccf956deb5e2ff3f1
SHA1 hash:
bda7be9c0bdd737d585854a92c53c98fa9b9619f
Link:
https://www.unpac.me/results/f8f8df8f-ac47-48d7-9a64-3d43aac3ceb2/
SH256 hash:
5e5aab7c690e6d078f14a3d16dbd709a5e429679865768f464abba47612b7a06
MD5 hash:
6543741cf1507ed6c5bf7345290aecf3
SHA1 hash:
07d90e3b76fd2edd48ff957f4efa8a8742a87832
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/f8f8df8f-ac47-48d7-9a64-3d43aac3ceb2/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/f8f8df8f-ac47-48d7-9a64-3d43aac3ceb2/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

img d42b286aa130634ab7f384cb22334b991d348c5dc46d780c5acf091681930cce

MassLogger

Executable exe 0728fd4058762cdab5e5366f0e353fc86437707048e0a5a915a1d2c433a67c7c

(this sample)

  
Dropped by
MD5 75dc11494b63f509f792ed93afe585b3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d42b286aa130634ab7f384cb22334b991d348c5dc46d780c5acf091681930cce

Comments