MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10939877f109569dff853eef9ddb462dda69871bc04b44d45d1a784a21a208ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	10939877f109569dff853eef9ddb462dda69871bc04b44d45d1a784a21a208ba
SHA3-384 hash:	66d465a509913dc2bddc9f17fa9ed7ead61dbd51d2f207ef4cfbb0e772853124361927c4828e002cacbb49c7b608611a
SHA1 hash:	6d7e6c8743f130c0a23551061516b47a9510729b
MD5 hash:	63ae3d497fc808ba1f4c5109d76c457f
humanhash:	hotel-massachusetts-don-fillet
File name:	Attached AWB.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	965'632 bytes
First seen:	2020-07-10 18:01:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep	24576:os+KhRcyG0EWYxNw1Aj/T0aZ/csr7P5Q5M:TuxOI0K/BVq
Threatray	2'085 similar samples on MalwareBazaar
TLSH	4F2502707EF1AAC1C63E4E725872CC104A35EA2B6712E79B1DC52DAF186FBC50542B87
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: ambit.co
Sending IP: 185.144.28.112
From: Vikram Waroshe<vikram.manwani@ambit.co>
Subject: Attached AWB.
Attachment: Attached AWB.zip (contains "Attached AWB.exe")

MassLogger SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

91

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.generic.ml.15820.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Reading Telegram data

Creating a file

Reading critical registry keys

Moving a recently created file

Deleting a recently created file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/10939877f109569dff853eef9ddb462dda69871bc04b44d45d1a784a21a208ba/

Threat name:

ByteCode-MSIL.Trojan.CryptInject

Status:

Malicious

First seen:

2020-07-10 18:03:06 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ccjzq57rbflj374fh3xz3w2gfxngtby3ybfujvc5dj4euincbc5a._file

Verdict:

malicious

Similar samples:

033e072066199b1ad85444191f19a03d8b15ec628930b4e86d7b5fb5e0a0baae

1e13e14b2d390dc75cc450654d0201bb43366bc2e4a028e0f5566630fea12630

37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728

3b2dc5c62e2fc42ab93039b506a8566fbbfb5160b63d0c7c83c55f4957093b29

69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c

967421d5e039d05cee61d55c7d0d1dd0870811ddb0eeaf62c2337d33da4a3fae

cb1927e26dcf4dc646884e37de470cf002be82095aa7b6d1d4230f78c34b26ca

cc296ddd36ee729fbdea514a26f387b2b5e88dc6bf3c61c68fb27572703acbb6

d5434b833a6b29c1f83aee2a0c8c5584467e495e452f7e6e676235b7e4870033

ff4bcfd3663088b0e8fed48b19bf950f8a6680fea9d3b0a478ac1fbfbcefeeef

+ 2'075 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger

Link:

https://tria.ge/reports/200710-6fameefll6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip f7516a775124dc575b7bd912376779da3e96d8a2c1091ec44c6774ccb1ef50da

exe 10939877f109569dff853eef9ddb462dda69871bc04b44d45d1a784a21a208ba

(this sample)

Dropped by

MD5 b692c10b7f6b8f49c62aadb9e6f2e489

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/24480/

Dropped by

SHA256 f7516a775124dc575b7bd912376779da3e96d8a2c1091ec44c6774ccb1ef50da

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample