MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37eb096457c5f3b81945f57de1b46674cdd7ccf83714f0bc4c0d982ade2405bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	37eb096457c5f3b81945f57de1b46674cdd7ccf83714f0bc4c0d982ade2405bd
SHA3-384 hash:	745cda617b61df032ca65bca2f74830cfadcf04ac22f92bf48db4a1e8bb704fe1e4046b7ec581ed61c4f30adf4a8b896
SHA1 hash:	59ca48a0edf12bd54e7a7e956e3ded80f75cada5
MD5 hash:	922902037e92ce7c5297054a629f1ef5
humanhash:	item-moon-failed-pluto
File name:	Invoice.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	838'144 bytes
First seen:	2020-08-13 05:49:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:unZTjF+j4VBUyh/eTA8LG4WSpIbva9UlxwWdsVGmnGcaJ5k73j/+cfSO:unVjIYUycbsvaxUUukLu
Threatray	530 similar samples on MalwareBazaar
TLSH	9D05017037E69990D7AC0D710963100057B63A2BFFA9C71E2E4D319D1879BB27681FAB
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: server.linux108.papaki.gr
Sending IP: 185.138.43.36
From: Eloy Picón <eloypicon@dimarosa.es>
Subject: RE:ORDEN DE COMPRA 28412
Attachment: Invoice.zip (contains "Invoice.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44810/

Detection(s):

SecuriteInfo.com.Artemis922902037E92.7148.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/425099

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/37eb096457c5f3b81945f57de1b46674cdd7ccf83714f0bc4c0d982ade2405bd/

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-12 21:35:42 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g7vqszcxyxz3qgkf6v66dndgotg5pthyg4kpbpcmbwmcvxreaw6q._file

Verdict:

unknown

MassLogger

3277c38c152ed39a94dbc50b60675ba3438631243837bf30ce65c996ceab524d

MassLogger

50b298120d93f328fa5949eeb470a41ac0e846b28df37d46cb16c0beaa1b128e

MassLogger

5d7470dd39f59feeb354918508f99d909e2e05a9bd41e4a180848f999cd00fb3

MassLogger

7601104485381f818f5b171b8be6630c0f6b4792e14695e6146c876ff852cb3c

MassLogger

7fd925382882b58adc1b5e4a24a96d7fdcf3089f9badc5f6190489ddc9cb238a

MassLogger

8645ba1b7632006a19223c7f307f618290c1a7c98fc6118d3b1dd9b2c46687f4

MassLogger

c8014126255b80593651f5fe1e69e069147866498dbb78129f775d76a0fa8682

MassLogger

db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db

MassLogger

ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35

MassLogger

+ 520 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200813-848grryd7a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/37eb096457c5f3b81945f57de1b46674cdd7ccf83714f0bc4c0d982ade2405bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 9f377c8709ba71efaa74d270b7a4c98f44ea62847c66d2e54a1d1044bb8a2577

MassLogger

exe 37eb096457c5f3b81945f57de1b46674cdd7ccf83714f0bc4c0d982ade2405bd

(this sample)

Dropped by

MD5 1799701f59581e92fee638c2791756e5

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 9f377c8709ba71efaa74d270b7a4c98f44ea62847c66d2e54a1d1044bb8a2577

Cape

https://www.capesandbox.com/analysis/44810/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample