MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dc21d30d3202d5885c58439163601b1cde9a0a094129dd8e39f0ed8b7f10953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1dc21d30d3202d5885c58439163601b1cde9a0a094129dd8e39f0ed8b7f10953
SHA3-384 hash: 11722716690c78918f49cf81459d1b67ca05673bef9e55912b715d56fa9cca8742eee4024c62c16993326d78efc91ebd
SHA1 hash: ee96ef2521dc3adf322d157a14d1354a3f544c3f
MD5 hash: 937c2ad1c58ff52c51ee58c7c2cd0c16
humanhash: lactose-july-uniform-queen
File name:00158007301057500.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'185'280 bytes
First seen:2021-01-14 06:58:03 UTC
Last seen:2021-01-14 08:52:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:lEtRdAAnszzi+k2EWZqdABUWDjEp48okSxJOszZi:lE7dAAcrk2vOAoViOszM
Threatray 803 similar samples on MalwareBazaar
TLSH 8545BF41EF92A710C7AC22FE141444761BA5DB75B2E8E32CC98570FA6F66B6C04FD293
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: vakifbank.com.tr
Sending IP: 155.94.185.117
From: ekstre@vakifbank.com.tr
Subject: E-Ekstre (BİNSU İÇ VE DIŞ TİCARET LİMİTED ŞİRKETİ)
Attachment: 00158007301057500.r00 (contains "00158007301057500.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00158007301057500.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-14 07:40:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69f26c38-ff8c-4aaf-9e07-cbe0174393e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111948/
Detection(s):
SecuriteInfo.com.Artemis937C2AD1C58F.10195.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581175
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1dc21d30d3202d5885c58439163601b1cde9a0a094129dd8e39f0ed8b7f10953/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 06:58:19 UTC
AV detection:
6 of 44 (13.64%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxbb2mgteawvrbofqq4rmnqbwhg6tifasqjj3whdt4hnrn7rbfjq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
04a3cf2c1316b5dd21365ac36bc970cc9b28514d42d41712c783345e07a99a07
MassLogger
4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20
MassLogger
5f53adb34adbcb6eeec29d48e9d80a401d1476eff2e826cb2c7ac02d8d7e2785
MassLogger
76f57a95f53a1affc3605793c7472f2825b3b0db5f1cd3864136704ebd412803
MassLogger
85729ea0b65a0a56b59f3e8ed961d4ce07f34804fb6b466b6d1c32e17cda4d8d
MassLogger
b4da98102844534fa2c6542fd79804d88e197e821764c78e31741b853aa5238e
MassLogger
c930deb75ebc8fd117d585898358df69af8ce6ffe9569ef5f47ad9fc6f26d01e
MassLogger
d5e2e50e17e2571167edb599cd5730f1f1c36a7e25e35010c7584b3306aebda9
MassLogger
ea6283f89a072a6fc910d5e1a023dd1b5b59b11b3dc18cf4773d7e03e68b21b1
MassLogger
eea5bf8f462d2cb96bc5021495ea54f474dc26ab44d08fa6ce78740f6c2a92d4
MassLogger
+ 793 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/210114-b76xybavf2/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/be9bda46-fa64-4258-b72b-240bfae666d0/
SH256 hash:
e5d4125982404722b496d977ff56baa4b00736780faff6cefef414898233126b
MD5 hash:
80d8b41f251c8ebd28d3c7023a68aef3
SHA1 hash:
4b95f2d4527cd6796757e663b1b96df05693845f
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/be9bda46-fa64-4258-b72b-240bfae666d0/
Parent samples :
5f53adb34adbcb6eeec29d48e9d80a401d1476eff2e826cb2c7ac02d8d7e2785
85729ea0b65a0a56b59f3e8ed961d4ce07f34804fb6b466b6d1c32e17cda4d8d
1dc21d30d3202d5885c58439163601b1cde9a0a094129dd8e39f0ed8b7f10953
SH256 hash:
0c4d3245f1dca21f914b527f8eb6066be5e6bd7bbc165559d0fea5a707e69105
MD5 hash:
a3a1c3c1f05fa2a3b33b4d809938601f
SHA1 hash:
eaa4223e27e7ee57dc9ec494320f8338129113e5
Link:
https://www.unpac.me/results/be9bda46-fa64-4258-b72b-240bfae666d0/
SH256 hash:
1dc21d30d3202d5885c58439163601b1cde9a0a094129dd8e39f0ed8b7f10953
MD5 hash:
937c2ad1c58ff52c51ee58c7c2cd0c16
SHA1 hash:
ee96ef2521dc3adf322d157a14d1354a3f544c3f
Link:
https://www.unpac.me/results/be9bda46-fa64-4258-b72b-240bfae666d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/1dc21d30d3202d5885c58439163601b1cde9a0a094129dd8e39f0ed8b7f10953

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 e522d68a52706ed5a929b6a52a1a90674aeebbd2aa94b0e934a68d87d6574db4

MassLogger

Executable exe 1dc21d30d3202d5885c58439163601b1cde9a0a094129dd8e39f0ed8b7f10953

(this sample)

  
Dropped by
MD5 b8b3b69e90b438ee87a5839da46363bc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e522d68a52706ed5a929b6a52a1a90674aeebbd2aa94b0e934a68d87d6574db4
Cape
Cape
https://www.capesandbox.com/analysis/111948/

Comments