MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09d68059fed3b8a9e940eb293662b084cd4bed04b714db17baaefe1c8845458b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09d68059fed3b8a9e940eb293662b084cd4bed04b714db17baaefe1c8845458b
SHA3-384 hash: 5cc83f7eed1ccf511f7163c8acc21f5a6c11b4953c09d67b6a1edecac20ae19abb8f9c3fbf178f807c71bc98f17d8938
SHA1 hash: 931e40ec3cd3aebff03f13538c0782ba3250f128
MD5 hash: 774eb2b251d801594d926c12bd097676
humanhash: edward-asparagus-ack-william
File name:REQUEST FOR QUOTATION FILE.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:866'816 bytes
First seen:2020-10-11 16:36:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7oEuVVv8ArF+7NVuw48Z5qAfZrR19qf6+VHpXYoutqFScfPr8F60ErsIL4wDZyRS:7CrFCL1qCB+VJInQsnUUwDf7Vb
Threatray 316 similar samples on MalwareBazaar
TLSH 0605283EFDC80537E6768672C9E619C2EA167A833116EE0F26D703410D03B5BAD8AD5D
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: PURCHASE DEPT <javaid@cyber.net.pk>
Subject: URGENT RFQ.
Attachment: REQUEST FOR QUOTATION FILE.PDF.Z (contains "REQUEST FOR QUOTATION FILE.exe")

MassLogger SMTP exfil server:
mail.ptautomation.com.vn:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Launching a process
Reading critical registry keys
Sending a custom TCP request
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/487740
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09d68059fed3b8a9e940eb293662b084cd4bed04b714db17baaefe1c8845458b/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2020-10-11 15:59:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhliawp62o4kt2ka5mutmyvqqtgux3iew4knwf52v37bzccfiwfq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0adc7e74c78f1d91fa1972467bdee948477ade15409a3f2924f337de4038ded1
MassLogger
1535da1a6d1565e52d0ee483302229d387ab7e33d9c9f07f745c6154c7de61e7
MassLogger
18a6b8961bad38e78e24206c4716dc311c53ba24c4d930fc32e4a70b3821b6f4
MassLogger
199653ca7cce2aabf2b54f899d29ab68526525a14487f0f1e02b45a0ad3e1f7c
MassLogger
401b953b523b658a53f5da322b332176946c201d1b2f99c0cdc19f9c77cef0bc
MassLogger
74d28adc3557d41c3b20e1babb4a9307af0e981e606b505b55a6565c2cbde44c
MassLogger
8f24b4adb843172c14b392bcf73f1f46ac8a20091cb22649110bb937f84b281c
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d
MassLogger
bc0af8fda43937d6a0d717e5be51d3f5a51a67077bc8ca85f031fa5bc08d165a
MassLogger
+ 306 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201011-s96mjkjp5j/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
da51f1cbdabb9ac8a5f64ece3faef761527b8dd92965abc58333bebd63cf6cd0
MD5 hash:
7131f09c9593ea4f39b622c90c2a708c
SHA1 hash:
a46df0080ca38623dd468b89aa3cb36bc6b58d76
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/03bde657-bd37-4ceb-9327-ea3c1636e00b/
Parent samples :
401b953b523b658a53f5da322b332176946c201d1b2f99c0cdc19f9c77cef0bc
09d68059fed3b8a9e940eb293662b084cd4bed04b714db17baaefe1c8845458b
SH256 hash:
20261caeee292d6f407b28f0b885ff3b8f29e7d46bf73374001d88dd32c6f10f
MD5 hash:
5abecf97decda257c0826bcc039639f9
SHA1 hash:
331236e8566cb3b98d53a6c728a162af2871683e
Link:
https://www.unpac.me/results/03bde657-bd37-4ceb-9327-ea3c1636e00b/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/03bde657-bd37-4ceb-9327-ea3c1636e00b/
SH256 hash:
e7f2d2b69261d3a491d7d0b8c036e9ea74e87c12da7c895c2a7fe9e2a754d206
MD5 hash:
ef7b5d77a5c231daa72ab491c8cb1edf
SHA1 hash:
133ae893e36a94ec11bc551f12f8d0d007dcf967
Link:
https://www.unpac.me/results/03bde657-bd37-4ceb-9327-ea3c1636e00b/
SH256 hash:
a9bdf8ff2cf545d3c786350fb5850a44b1fed970637c1cc6894f0f612a3d6d33
MD5 hash:
6051579116be38069e62aba2a2fed804
SHA1 hash:
e68b369bc131a32d5233ee395f47b337c2469042
Link:
https://www.unpac.me/results/03bde657-bd37-4ceb-9327-ea3c1636e00b/
SH256 hash:
09d68059fed3b8a9e940eb293662b084cd4bed04b714db17baaefe1c8845458b
MD5 hash:
774eb2b251d801594d926c12bd097676
SHA1 hash:
931e40ec3cd3aebff03f13538c0782ba3250f128
Link:
https://www.unpac.me/results/03bde657-bd37-4ceb-9327-ea3c1636e00b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09d68059fed3b8a9e940eb293662b084cd4bed04b714db17baaefe1c8845458b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

z ce1424d27e5a98c9920c97ae6339d03172b0c5830b494e55b59c2705a92aec44

MassLogger

Executable exe 09d68059fed3b8a9e940eb293662b084cd4bed04b714db17baaefe1c8845458b

(this sample)

  
Dropped by
MD5 5bf3c474f0fa3b8085abe1258aa4ec65
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69843/
  
Dropped by
SHA256 ce1424d27e5a98c9920c97ae6339d03172b0c5830b494e55b59c2705a92aec44

Comments