MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bd548e22cf519ee21eb5492713555537bbc71c899d2421e8a40d4e81f6b3f65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bd548e22cf519ee21eb5492713555537bbc71c899d2421e8a40d4e81f6b3f65
SHA3-384 hash: 64f916a75f9ad454d51c906cd4c7929e87ebdb39612ffc72606abc77d952749b02fe20fb1793ac8faeccdea0e1f87894
SHA1 hash: ede0bf0b1dd1deca15576ee50f2472912f3f6bba
MD5 hash: 5f69c32ad5d9a724ab741bbbe7bf36bb
humanhash: lion-foxtrot-jersey-table
File name:Order List.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:909'312 bytes
First seen:2020-10-05 11:23:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Gl8B9D/pxksU348COE+jyNWh3uk98sYfM+cIjJ:GA9D/pw348CE/3IY
Threatray 4'880 similar samples on MalwareBazaar
TLSH 7615E0357260A7CEC12F4EBAC49E7D0D97F092124703F787DEAE07F885CE6468622995
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: qq.com
Sending IP: 183.3.255.187
From: 沈晓英 <lisa@dyxuanyi.com>
Subject: Order List
Attachment: Order List.zip (contains "Order List.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68146/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481290
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bd548e22cf519ee21eb5492713555537bbc71c899d2421e8a40d4e81f6b3f65/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 02:10:43 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpkuryrm6um64iplksjhcnkvkn53y4oithjeehukidkoqh3lh5sq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e
MassLogger
17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519
MassLogger
59266059bf9ed1325138907f3f74f4838600be78e310b8165333935e18817d5a
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
9f0866780aa84107697212f1b3578777c450861c02a6e01f5741de28c858900c
MassLogger
cc87cc3cff16721cb3f7e6be1e5be62bcdacafd1fa70ec879c6a9c12a9b438bb
MassLogger
d2d81b10778e3b7c19fcc2a0f4fe51730408ac9ea0b78b3fd5b884a59dad793c
MassLogger
d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c
MassLogger
e64ff6e23ce8911e74ee402d2cc1ed3d54998a56a6fb272b50c5a87363975305
MassLogger
ed235d058942eeabdbd09e342b36e1747d83fe281608b1785ca075a51607e020
MassLogger
+ 4'870 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201005-6qsjvvmdqs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2bd548e22cf519ee21eb5492713555537bbc71c899d2421e8a40d4e81f6b3f65
MD5 hash:
5f69c32ad5d9a724ab741bbbe7bf36bb
SHA1 hash:
ede0bf0b1dd1deca15576ee50f2472912f3f6bba
Link:
https://www.unpac.me/results/270daafd-0729-4974-b59d-f461daf04a75/
SH256 hash:
f047b3dbad4c9f3901b6d632ef58ef60028d0cc87dfdb4fef9d22d62d79a7eda
MD5 hash:
624819a3cde90094a7a01128111c6359
SHA1 hash:
1b1599998fe706de8f2af69ea0f6beb701e09261
Link:
https://www.unpac.me/results/270daafd-0729-4974-b59d-f461daf04a75/
SH256 hash:
01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a
MD5 hash:
eb593633270aa19162cf64663df9dd6c
SHA1 hash:
2ec57181471ff10abe9a04239ca3ea86ea4252b9
Link:
https://www.unpac.me/results/270daafd-0729-4974-b59d-f461daf04a75/
SH256 hash:
25b21d0bb54dcfb380d4cc97b7121ac348e8142c3e304584c1a506954c66c20c
MD5 hash:
b4e9f5349de9089fb7bc14de24491702
SHA1 hash:
30debdb5b1b65d60fc120b6572d292f59a6073ba
Link:
https://www.unpac.me/results/270daafd-0729-4974-b59d-f461daf04a75/
SH256 hash:
31294f00cd76978531e367de290e674aa5adac6d94a1fd558fd5ff32575652cd
MD5 hash:
0b375695862c35ac78e2819c0c9c51d7
SHA1 hash:
3c3caca6f836c933697f5b7a4d420df84538a9a8
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/270daafd-0729-4974-b59d-f461daf04a75/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bd548e22cf519ee21eb5492713555537bbc71c899d2421e8a40d4e81f6b3f65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip ab16c5b854d81ef1adb1b5156a598b021bce1e459df07c46436e532bbf9f6cd0

MassLogger

Executable exe 2bd548e22cf519ee21eb5492713555537bbc71c899d2421e8a40d4e81f6b3f65

(this sample)

  
Dropped by
MD5 68454ad21cc3340f5ae9817e29a80111
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68146/
  
Dropped by
SHA256 ab16c5b854d81ef1adb1b5156a598b021bce1e459df07c46436e532bbf9f6cd0

Comments