MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 383422deddf4a90f0a8595727fd85959a847ee602eaf4a460e9cc27c751e26e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 383422deddf4a90f0a8595727fd85959a847ee602eaf4a460e9cc27c751e26e5
SHA3-384 hash: 7d5edad3d92a6d217cbb7a766a3ae243c25b4a470c32cbe5628896ccd8e436ddb9c5392cb32fdcc8dcda45466ccfe819
SHA1 hash: debf4e9e4b68b96233f7b9954881e1dbc5b178c9
MD5 hash: 8c1df7d382218821c83b79afd1899ae1
humanhash: magazine-south-vermont-mars
File name:attched.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'083'392 bytes
First seen:2020-10-09 06:36:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af4375c8d93dcc880470b77718311250 (3 x MassLogger, 3 x Loki, 2 x AveMariaRAT)
ssdeep 24576:CqjKIUe7QLkbDTMrvS2Li3sH6RgR/Ps87s:QIzCuYXG8aRgR3scs
Threatray 2'286 similar samples on MalwareBazaar
TLSH EF35C123E2E84837C17326789C0B5BB4EE26FD10292979866BF5DD485F39E507825F83
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: ESSAR.COM
Sending IP: 107.173.40.220
From: ROBIN KEDIR<INFO@ESSAR.COM>
Subject: RE: RFQ for supply of Piping Fittings oil and maritime equipments as attached.
Attachment: attched.zip (contains "attched.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file
Running batch commands
Launching a process
Sending a UDP request
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486399
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295660 Sample: attched.exe Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected MassLogger RAT 2->76 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->78 80 Yara detected Costura Assembly Loader 2->80 14 attched.exe 2->14         started        process3 signatures4 90 Detected unpacking (changes PE section rights) 14->90 92 Detected unpacking (creates a PE file in dynamic memory) 14->92 94 Detected unpacking (overwrites its own PE header) 14->94 96 3 other signatures 14->96 17 attched.exe 14->17         started        19 attched.exe 4 14->19         started        process5 file6 22 attched.exe 17->22         started        72 C:\Users\user\AppData\...\attched.exe.log, ASCII 19->72 dropped 25 cmd.exe 1 19->25         started        process7 signatures8 86 Maps a DLL or memory area into another process 22->86 27 attched.exe 22->27         started        29 attched.exe 3 22->29         started        31 cmd.exe 22->31         started        33 powershell.exe 19 25->33         started        35 conhost.exe 25->35         started        process9 process10 37 attched.exe 27->37         started        40 cmd.exe 1 29->40         started        42 conhost.exe 31->42         started        44 powershell.exe 31->44         started        signatures11 84 Maps a DLL or memory area into another process 37->84 46 attched.exe 37->46         started        48 attched.exe 37->48         started        50 powershell.exe 18 40->50         started        52 conhost.exe 40->52         started        process12 process13 54 attched.exe 46->54         started        57 cmd.exe 48->57         started        signatures14 88 Maps a DLL or memory area into another process 54->88 59 attched.exe 54->59         started        61 attched.exe 54->61         started        63 conhost.exe 57->63         started        65 powershell.exe 57->65         started        process15 process16 67 attched.exe 59->67         started        signatures17 82 Maps a DLL or memory area into another process 67->82 70 attched.exe 67->70         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/383422deddf4a90f0a8595727fd85959a847ee602eaf4a460e9cc27c751e26e5/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 01:10:26 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ha2cfxw56suq6cufsvzh7wczlguep3taf2xuurqottbhy5i6e3sq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0889245c6fdc245d14cf4dac36f55ae3228396b25bfeab0d33b00dfb19e788a9
MassLogger
0cb22d3d57812fd7f79b93f77efe33302e171b29f540f3883239f31228966a17
MassLogger
242c20784a19993ce2896684480243fe63d33b065fe9ef74d48b958a91cd4e48
MassLogger
346266a829d5c233427f67608ad6306af527fa0b733d38cb80c09fb00b5ff39a
MassLogger
795f53cafe2900bfa7acbb2a231fb3162e36872b3e1664d90cbf611c4f3446f9
MassLogger
8f24b4adb843172c14b392bcf73f1f46ac8a20091cb22649110bb937f84b281c
MassLogger
c1c8905198fca177bb8307d0a49143971c4c194149a659106b279a5d1be9e998
MassLogger
c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
MassLogger
d89012e75ed7fe4356199f7390ccd1187481f86b32d4367c47f433ac2f5ae730
MassLogger
da41f5d16a81585d67bb46beaffb4b5206601ec135a98e427dea347f3896f095
MassLogger
+ 2'276 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware upx spyware stealer family:masslogger
Link:
https://tria.ge/reports/201009-vzkvfcnjzs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
UPX packed file
MassLogger
MassLogger log file
Unpacked files
SH256 hash:
383422deddf4a90f0a8595727fd85959a847ee602eaf4a460e9cc27c751e26e5
MD5 hash:
8c1df7d382218821c83b79afd1899ae1
SHA1 hash:
debf4e9e4b68b96233f7b9954881e1dbc5b178c9
Link:
https://www.unpac.me/results/d9073e82-c8f5-437d-aebf-27e02991b5bd/
SH256 hash:
e70d941a2de443de7840763665b99ec9ede0ad2d727a3f011de884cd2d7d96ed
MD5 hash:
c82f3f53d6d0493c0a3cfda3f8c934af
SHA1 hash:
080d71205d796c930effb626138cc9bb6c8ecd25
Link:
https://www.unpac.me/results/d9073e82-c8f5-437d-aebf-27e02991b5bd/
SH256 hash:
bef6265001e8bea2969a42caeadf2587bbd9c11af2db48e8664422d5a1a41d73
MD5 hash:
f836ed17a0f3c6eddae5e5e47ba90bb5
SHA1 hash:
17990c144a3c3bf9bbdd4cb1b43023f2856336b5
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/d9073e82-c8f5-437d-aebf-27e02991b5bd/
SH256 hash:
84ecbad107cfa8012799c66f98d0e20fb3b8fb269d8c5c198a0f76f25e2c7902
MD5 hash:
84727a5600fc38bca121e62b110d9486
SHA1 hash:
2ec9155061e3185bf397276d146704d9f852adac
Link:
https://www.unpac.me/results/d9073e82-c8f5-437d-aebf-27e02991b5bd/
SH256 hash:
500097be493a55b3ca38ac9be82ed6ec9edae81fcbc92fd4831e73142b7b629f
MD5 hash:
b5d5f2249a9cb3098bf7a1df732985b2
SHA1 hash:
5ba85657911b621fd642d877a4ce5f965c0273fb
Link:
https://www.unpac.me/results/d9073e82-c8f5-437d-aebf-27e02991b5bd/
SH256 hash:
20c58633fe67d2f09f1aff44be4c6fde4332bd5c049c7ee47059c6f5fa8f2aed
MD5 hash:
a242fa0c3654e9951dba8e5231ceed83
SHA1 hash:
325aa79fb45a9befbfe358b9e28ceae1f0dba811
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/d9073e82-c8f5-437d-aebf-27e02991b5bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/383422deddf4a90f0a8595727fd85959a847ee602eaf4a460e9cc27c751e26e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip d90fe9930af088f5abaec41a10587ecbc0b94e6941d3f54e118b2f9721009091

MassLogger

Executable exe 383422deddf4a90f0a8595727fd85959a847ee602eaf4a460e9cc27c751e26e5

(this sample)

  
Dropped by
MD5 6eeda40223aa3c9acc60a20e3b44728e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69466/
  
Dropped by
SHA256 d90fe9930af088f5abaec41a10587ecbc0b94e6941d3f54e118b2f9721009091

Comments