MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1590167d71c9cd4bdacf01d5e56fb3b4315ddaf7ede3dc270de784a7ec12f2dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1590167d71c9cd4bdacf01d5e56fb3b4315ddaf7ede3dc270de784a7ec12f2dd
SHA3-384 hash: 7c98f61dd266cd64fb8865dcd5fdba6ff01e4842302016a9f8af920e9e9bd2edabfbd41315a096c6eaafe58a606b6b79
SHA1 hash: 59365b442e3be214cd76ae164daaa47e0d52fb99
MD5 hash: 2a3f68d64b40b2b1ab652183adcc69d4
humanhash: spaghetti-four-purple-blue
File name:Purchase Order Sample.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'199'104 bytes
First seen:2020-07-31 06:54:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:X7YohCigAQxf4MPNS3cx2JuNQgxPdJvbfib21iF:rYoUwNcxR77JvbL1iF
Threatray 699 similar samples on MalwareBazaar
TLSH 95455903796C95BACE398B3E844408C0D5F45C9D06CAF24627B87E7EC8BD2665D0F96E
Reporter abuse_ch
Tags:exe MailChannels MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: brown.elm.relay.mailchannels.net
Sending IP: 23.83.212.23
From: admin8@capstoneeeq.com
Subject: FOB Inquiry - PO Yh15072020003 / Urgent Order From BANGKOK
Attachment: Purchase Order Sample.zip (contains "Purchase Order Sample.exe")

MassLogger FTP exfil server:
ftp.hmpme.com:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35860/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/404598
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1590167d71c9cd4bdacf01d5e56fb3b4315ddaf7ede3dc270de784a7ec12f2dd/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 06:55:11 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwibm7lrzhguxwwpahk6k35twqyv3wxx5xr5yjyn46ckp3as6loq._file
Verdict:
unknown
Similar samples:
1b59de7a97df74d5e59c0f02697e9ae4e9391a01998de6baf4c937bdf2f678f5
MassLogger
452413e4c1ae53679f676ea7e97a7f98697ee833896c6119bc6d8bf15cf06fba
MassLogger
96425dbadde8f6374899265654e2e0d7e471c756c34dff01f7d5ab08cb0c6a23
MassLogger
9c33a1f6a337e39a99c4480f19e63fbaeee191defcd51c8a908e9af9da8e115c
MassLogger
abee98b273f8b2c4530af48e1022c15af3932f99ad4fd011b7c5e529c5ae6434
MassLogger
bc4eb9e6d6e0b8e74778806de3a392800a98eb1460a56f38c523262277af1bac
MassLogger
c80ce609bceb3fb3d9c3432d8d42503644299c1ccf9a1b9d6f82f116948fed8a
MassLogger
f38a6d59735df60c2612686710b66c44a0042b7df2fe97e048fc6e480ce4848c
MassLogger
f7d1402eb35c67bfb9f0cdf77c4050fc40c936fc0034d8b86bdbd20deed76db0
MassLogger
f8bfe504676559b37494dd204efc4974a7a08f2abafdbee5a8e75bc6df16e5d5
MassLogger
+ 689 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200731-jw4ce5yeaa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1590167d71c9cd4bdacf01d5e56fb3b4315ddaf7ede3dc270de784a7ec12f2dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip e50a804199c2303cf419613432fcc39612d644a0373e72e5b15a96b56a0521d6

MassLogger

Executable exe 1590167d71c9cd4bdacf01d5e56fb3b4315ddaf7ede3dc270de784a7ec12f2dd

(this sample)

  
Dropped by
MD5 7545cbee396441ca0ce3c2cf16f8f6b7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35860/
  
Dropped by
SHA256 e50a804199c2303cf419613432fcc39612d644a0373e72e5b15a96b56a0521d6

Comments