MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 075522bcd1e68ecf9dd038bcfc839f2112f32d0ee8c38028bcc054dbb0fccd67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 075522bcd1e68ecf9dd038bcfc839f2112f32d0ee8c38028bcc054dbb0fccd67
SHA3-384 hash: 59b29e80b1ba17d980ee7abafe76d1abe0eacd0fcf24bdc8f2221c2998e59b26a88ba73023c5b9ce9eba4100979b247d
SHA1 hash: 5e5a9e7297e2c0cd5cefd42faca4356176c36c07
MD5 hash: dd9561ecab9b2781cfb08e0c7cabfc45
humanhash: robert-arizona-failed-beryllium
File name:Swift copy.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:271'704 bytes
First seen:2020-10-22 11:54:44 UTC
Last seen:2020-10-23 12:54:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:zNMTXYGyoe2C0sSEUUGxbGwd8nwGQx7GyUEhHkAfexLijrH:zYXYGyoXHUGxbGwd8nwGQx7GyUEhHkAH
Threatray 376 similar samples on MalwareBazaar
TLSH FF446116778A5D75FFB907703669D8820FF0F6D3A653C2781ED0AECEC4915002B3AA69
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gmail.com
Sending IP: 185.222.57.73
From: iahbilatassad@yahoo.com
Subject: FW: Swift payment copy
Attachment: Swift copy.zip (contains "Swift copy.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74634/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.41152.21768.16809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Sending a UDP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507039
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 302642 Sample: Swift copy.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 61 www.google.it 2->61 63 pastebin.com 2->63 65 hastebin.com 2->65 81 Multi AV Scanner detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected MassLogger RAT 2->85 87 7 other signatures 2->87 8 Swift copy.exe 24 6 2->8         started        13 Swift copy.exe 2->13         started        15 Swift copy.exe 2->15         started        signatures3 process4 dnsIp5 67 www.google.it 172.217.168.3 GOOGLEUS United States 8->67 69 pastebin.com 104.23.98.190, 443, 49721 CLOUDFLARENETUS United States 8->69 71 hastebin.com 104.24.126.89, 443, 49720, 49728 CLOUDFLARENETUS United States 8->71 57 C:\Users\user\AppData\...\Swift copy.exe, PE32 8->57 dropped 59 C:\Users\...\Swift copy.exe:Zone.Identifier, ASCII 8->59 dropped 89 Creates an undocumented autostart registry key 8->89 91 Creates autostart registry keys with suspicious names 8->91 93 Creates multiple autostart registry keys 8->93 17 Swift copy.exe 8->17         started        20 WerFault.exe 8->20         started        23 timeout.exe 1 8->23         started        33 8 other processes 8->33 73 104.23.99.190, 443, 49730, 49732 CLOUDFLARENETUS United States 13->73 75 192.168.2.1 unknown unknown 13->75 95 Adds a directory exclusion to Windows Defender 13->95 97 Hides threads from debuggers 13->97 99 Injects a PE file into a foreign processes 13->99 25 powershell.exe 13->25         started        27 powershell.exe 13->27         started        29 powershell.exe 13->29         started        35 2 other processes 13->35 31 timeout.exe 15->31         started        file6 signatures7 process8 file9 77 Tries to steal Mail credentials (via file access) 17->77 79 Tries to harvest and steal browser information (history, passwords, etc) 17->79 55 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->55 dropped 37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started        53 2 other processes 33->53 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/075522bcd1e68ecf9dd038bcfc839f2112f32d0ee8c38028bcc054dbb0fccd67/
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 08:23:57 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a5ksfpgr42hm7hoqhc6pza47eejpglio5dbyakf4ybknxmh4zvtq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2fea8f7c727460dfd943dce7f9bb051f188f37a0150a132039a1892f18749ff3
MassLogger
70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c
MassLogger
8b1e278db9ecbeda3510a251e207576256e5cfe3171becac7c8b5758f2ca3a9a
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
a2b0e9c1ea03a3a538fe9ef7f8e6dbf4c08feba8560e238e29fce0dd2f2e144b
MassLogger
b49f4c0a41fe65d3e81919eae65adb01d493e08331e0e3652b30655d55170d52
MassLogger
b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f
MassLogger
b71afd9d9ddfed028e4235476c6392f1a6d2bbee4c4263c61afcbb1ba1a2b2c5
MassLogger
c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca
MassLogger
cbfa5e02ca4acf68dcfa7d286275cf1a6d424d4fe74bf840fc5452cfc3680f1e
MassLogger
+ 366 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
evasion trojan persistence spyware stealer family:masslogger
Link:
https://tria.ge/reports/201022-hnc1z1jcpn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Windows security modification
MassLogger
MassLogger Main Payload
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
075522bcd1e68ecf9dd038bcfc839f2112f32d0ee8c38028bcc054dbb0fccd67
MD5 hash:
dd9561ecab9b2781cfb08e0c7cabfc45
SHA1 hash:
5e5a9e7297e2c0cd5cefd42faca4356176c36c07
Link:
https://www.unpac.me/results/8802868b-b828-430f-96e0-aacb4a6a317b/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 047910d3743d642273b9edffe44a28541168a967b5e6c5fc7c1d97108cedf37d

MassLogger

Executable exe 075522bcd1e68ecf9dd038bcfc839f2112f32d0ee8c38028bcc054dbb0fccd67

(this sample)

  
Dropped by
MD5 afc78ea20dc2714719fe6d7e3b7a0aba
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74634/
  
Dropped by
SHA256 047910d3743d642273b9edffe44a28541168a967b5e6c5fc7c1d97108cedf37d

Comments