MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 175dc1ef3ca07f65986afd11a9ee79ba66d92e8bb2ab11ae0fc2a8a06f630f78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 175dc1ef3ca07f65986afd11a9ee79ba66d92e8bb2ab11ae0fc2a8a06f630f78
SHA3-384 hash: e53c7f27581944f85a4d7946ee00f854948eab15ff6d618295911bb33da8e2e841ccab951bb0978f3c96b005d3c333e5
SHA1 hash: 735e40fbfbf539209ab28ee50d1fd9871c12084e
MD5 hash: a90e0776e6dd98ef7d2317fdc9f8c15d
humanhash: twelve-nevada-romeo-sad
File name:The Candidates List.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:973'824 bytes
First seen:2020-07-21 07:41:10 UTC
Last seen:2020-07-22 08:48:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Z46rnVw8M/Zs5jQcSEhSRm3K8YdwvRlxH0ZP:iYM/4scSvm3K9dwv1
Threatray 819 similar samples on MalwareBazaar
TLSH 8D25EF40D7F88ADAE7BA17BDE474005087B4B51AA7EAE74C1B91F4E81922351CB13F63
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: rudrabuildwell.com
Sending IP: 45.143.222.172
From: Abdul Rahman <info@rudrabuildwell.com>
Subject: candidate list attached
Attachment: The Candidates List.zip (contains "The Candidates List.exe")

MassLogger FTP exfil server:
hraspirations.com:21

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29832/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading Telegram data
Reading critical registry keys
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Deleting a recently created file
Sending a custom TCP request
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/175dc1ef3ca07f65986afd11a9ee79ba66d92e8bb2ab11ae0fc2a8a06f630f78/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:43:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c5o4d3z4ub7wlgdk7ui2t3tzxjtnslulwkvrdlqpykuka33db54a._file
Verdict:
unknown
Similar samples:
10eead56b5d7413b12b1fd1a4bf63dba2fa8995dad47d9a29577efd98264247a
MassLogger
218ab0970b729fe790515e64e9eab88b22893c7cac5594bd6d81b16e2245dcb4
MassLogger
5415e279ac5674de2c5ff76fac550a2588d156b59888c207f48bf81da76729b8
MassLogger
5c5408db84b06949b9aae7b528ad603bf17615ceac0aba3cd79cc92ed77b8163
MassLogger
7d95d648a3a6f221f5b9833c631e3a009454a0209666b717e091bf1886c995a2
MassLogger
8707af08ec5c7b76ea40346f7b62861080f534fc2438a30cda18260563a7c16e
MassLogger
9bd6661010ba5518e4db4cd619eb805765e72d5923065fbb46e4c48a6db7e631
MassLogger
a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3
MassLogger
b1f60766fb1c9d311d8200f0d45898156f6ce60e9db644032731e9284bf1c552
MassLogger
daa21287c64f4ddf57136d013858af29aaa8ad92ee7d7cde68531f0b5979c55d
MassLogger
+ 809 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200721-3hea61a3fs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/175dc1ef3ca07f65986afd11a9ee79ba66d92e8bb2ab11ae0fc2a8a06f630f78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 374bb0dea8b49b183d0f9cfbce09206b58fad14eaf38663ecbcf6f3480d5b5db

MassLogger

Executable exe 175dc1ef3ca07f65986afd11a9ee79ba66d92e8bb2ab11ae0fc2a8a06f630f78

(this sample)

  
Dropped by
MD5 37d812eadbd07118a89d088ffae452ec
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29832/
  
Dropped by
SHA256 374bb0dea8b49b183d0f9cfbce09206b58fad14eaf38663ecbcf6f3480d5b5db

Comments