MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e17f40e9221c60fa2516f0c59806053a35cf826a1f305502425bf7349e120f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e17f40e9221c60fa2516f0c59806053a35cf826a1f305502425bf7349e120f4
SHA3-384 hash: 2c07bd81a173a35b6fda12de6610590caf01f91f091f6a752200d23646992406a6e365dce9b535c628c3a367776695a6
SHA1 hash: 0113053b66e40f575872e7407af674ade6de6b03
MD5 hash: d9dc20ba3c5255b2a81cdcc44e9b1e44
humanhash: michigan-lion-chicken-pluto
File name:GTS_21_9018_ORDER_pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:20'696 bytes
First seen:2021-02-24 06:56:43 UTC
Last seen:2021-02-24 09:03:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:XQzlWolNq8UD4BDfqmvufIle3ATCTCJ+j4aZVvZTaahbO:tl4B7cfwOTClaZVvZTaah
Threatray 628 similar samples on MalwareBazaar
TLSH 60924A135E5A0C11F4AACF306AEB9516E7F863C2A735C6271448A0D50A43748D6EEFAD
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: box.vertym.xyz
Sending IP: 64.227.1.193
From: Sakulrat Tavornkaew <Kongkawoot@oryx.com>
Subject: Posco February 2021 Provisional Contract
Attachment: Posco Febuary 2021 Provisional Contract_pdf.gz (contains "GTS_21_9018_ORDER_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GTS_21_9018_ORDER_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 07:14:32 UTC
Tags:
trojan evasion masslogger stealer
Link:
https://app.any.run/tasks/5582f389-e7e8-46cb-87a7-787321a35dcf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118846/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.46212.31676.10511.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616205
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357106 Sample: GTS_21_9018_ORDER_pdf.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected MassLogger RAT 2->44 46 6 other signatures 2->46 8 GTS_21_9018_ORDER_pdf.exe 17 3 2->8         started        process3 dnsIp4 32 coroloboxorozor.com 172.67.172.17, 49715, 80 CLOUDFLARENETUS United States 8->32 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->48 50 Adds a directory exclusion to Windows Defender 8->50 52 Hides threads from debuggers 8->52 54 Injects a PE file into a foreign processes 8->54 12 GTS_21_9018_ORDER_pdf.exe 2 8->12         started        16 cmd.exe 1 8->16         started        18 powershell.exe 26 8->18         started        20 WerFault.exe 23 9 8->20         started        signatures5 process6 dnsIp7 34 elb097307-934924932.us-east-1.elb.amazonaws.com 50.19.252.36, 49727, 80 AMAZON-AESUS United States 12->34 36 192.168.2.1 unknown unknown 12->36 38 2 other IPs or domains 12->38 56 Tries to steal Mail credentials (via file access) 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 60 Adds a directory exclusion to Windows Defender 12->60 22 powershell.exe 12->22         started        24 conhost.exe 16->24         started        26 timeout.exe 1 16->26         started        28 conhost.exe 18->28         started        signatures8 process9 process10 30 conhost.exe 22->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e17f40e9221c60fa2516f0c59806053a35cf826a1f305502425bf7349e120f4/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 06:57:09 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyl7idusehda7isrn4gftadakorvz6bguhzqkubeew7xgspbed2a._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1817a8f184410911c6b9066527e88931d69296564be916ed0b2029c20c684bbb
MassLogger
1e86893e03f2f3bec014fc26e5fabd65fdfa2ddf14111707d0ef20dadf5bcef9
MassLogger
413f22dc59eee0b4d6a13b1264a4370d7957c73766050ab62bde81e8e496c8f7
MassLogger
b095032316de2f43af0557c35dd58ab254928f24a3b8e7cf4cf5c4dbac73ac56
MassLogger
cc3b971f25d0ad410dbe3b7d1d6235041eb36632d0ea6e8d34a6a94e41d79df3
MassLogger
d524cd860456f8ba974792e116c29500bd251b580d42df1d115ffe96b5f79d43
MassLogger
e057f177dbb47cdb739ca5300812914d10c60ef522607819b91201079ffa643d
MassLogger
f14d7b8fe3caf1abed6941ba3a7cfbc7496edb3ca728a4c1060e306e7087ec61
MassLogger
fd0770f10f7a7a2a09b68a03fc921cabf7434271ce8fe00fed9f6913ab55eada
MassLogger
fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949
MassLogger
+ 618 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger evasion spyware stealer trojan
Link:
https://tria.ge/reports/210224-t5cntc572s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Windows security modification
MassLogger
MassLogger Main Payload
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
1e17f40e9221c60fa2516f0c59806053a35cf826a1f305502425bf7349e120f4
MD5 hash:
d9dc20ba3c5255b2a81cdcc44e9b1e44
SHA1 hash:
0113053b66e40f575872e7407af674ade6de6b03
Link:
https://www.unpac.me/results/8f9e757d-66a8-468e-ae48-b0606f93154f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz b18a980aeeac36c4132e5cd62bd1a66f85c74eb565baf0f5a7613de77b0c8e88

MassLogger

Executable exe 1e17f40e9221c60fa2516f0c59806053a35cf826a1f305502425bf7349e120f4

(this sample)

  
Dropped by
MD5 9199159e5b8610e33cf66fd64c8139db
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b18a980aeeac36c4132e5cd62bd1a66f85c74eb565baf0f5a7613de77b0c8e88
Cape
Cape
https://www.capesandbox.com/analysis/118846/

Comments