MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52
SHA3-384 hash: a49a408b206335ac610dafc9c0f204c461fcfab2c53eceb4622c41bf09a3d98d7de7462ee18a7400833ea930e97c05c5
SHA1 hash: 57f092f6f3aefe8975c277b42b7be35e961230e3
MD5 hash: b2398ff9cff41e0ee0dbfdcc1577a2bd
humanhash: pennsylvania-pluto-pip-network
File name:Swift Copy.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'184'256 bytes
First seen:2020-10-12 07:31:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:XL3SuPU59hj+1D6ILdTmHqSBm8V0OscqoTdcQ:XLiF9hsD6SHSBaOTq+c
Threatray 321 similar samples on MalwareBazaar
TLSH F045BE2D26A59A85D0FD8BB4111A7450CFF4291764AAF33C2DEFA4EE3661B484703E73
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: odessabd.com
Sending IP: 156.96.47.18
From: Carol Zong <carol.finance@coastalpetrol.com>
Subject: Re:PAYMENT SWIFT REF:HR2019000000030
Attachment: Swift Copy.rar (contains "Swift Copy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69983/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488102
Signature
.NET source code contains potential unpacker
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296507 Sample: Swift Copy.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Sigma detected: Scheduled temp file as task from temp location 2->38 40 10 other signatures 2->40 8 Swift Copy.exe 6 2->8         started        process3 dnsIp4 30 192.168.2.1 unknown unknown 8->30 24 C:\Users\user\AppData\Roaming\btwgUy.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\tmpEA86.tmp, XML 8->26 dropped 28 C:\Users\user\AppData\...\Swift Copy.exe.log, ASCII 8->28 dropped 42 Injects a PE file into a foreign processes 8->42 13 Swift Copy.exe 2 8->13         started        15 schtasks.exe 1 8->15         started        file5 signatures6 process7 process8 17 powershell.exe 17 13->17         started        20 conhost.exe 15->20         started        signatures9 32 Deletes itself after installation 17->32 22 conhost.exe 17->22         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52/
Threat name:
ByteCode-MSIL.Backdoor.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 06:59:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hevbd4km47rbjonemt23sg4zay2mdvwoszarxdwqyokavchvhnja._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
042e32eb8970e6dd8e767bb75bc25b3325c314783b9c3bb365727584dba4d918
MassLogger
054b7c5d38a00ecfc40168d4dc21610139c5ab6a46d2a0e851ef100397d5e5e9
MassLogger
1fb23de8da95ef200663ec6bffe9a439b6c39927559b5e103a488cf54355ebad
MassLogger
35053de930782e8179e3721c8927c499b71dc9926db872b722fe8b5ec5b300b2
MassLogger
4255ae6b31d6068463b663c1871ac8cee3461b0d3fbf642f96cf9a3e8817803c
MassLogger
792259d9e6e262d17cc54f4b43c8e95cd0be1e533f5e5032a5cdefb9f899a6a2
MassLogger
b0f6052c071380b0413ba33ab5f888442bba649614a7102ade644d7195487bed
MassLogger
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
MassLogger
f4b7759a1a42ebd89a61ed697ca26661dff56719bbf254b7b1f400f3cf4487d1
MassLogger
f638e03e33b24d736db2873b3dee14d8312731d040adb93265b99e21b94b3978
MassLogger
+ 311 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201012-xwt1f9jjf2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52
MD5 hash:
b2398ff9cff41e0ee0dbfdcc1577a2bd
SHA1 hash:
57f092f6f3aefe8975c277b42b7be35e961230e3
Link:
https://www.unpac.me/results/3c4191fc-289f-4888-bb94-3bd6c6158758/
SH256 hash:
ae3a97303c4355e795cf780e8f109a80490ba8db71a1cf02fb50ea3504ca1bf4
MD5 hash:
1fcd36a198a246cc7403159d0902855b
SHA1 hash:
1a53def6880ccd1f38d48ac6aa300efedf056e55
Link:
https://www.unpac.me/results/3c4191fc-289f-4888-bb94-3bd6c6158758/
SH256 hash:
a5f299d7cc0dc35a35e1643380157d68a82989be3519fc5ab47c1ac329add6da
MD5 hash:
1f9af68a524c391d64c62d3f7e593276
SHA1 hash:
522aa66b7255d662ec794d7fb204941b9a08cfd8
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/3c4191fc-289f-4888-bb94-3bd6c6158758/
Parent samples :
392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52
3f79b9e8017267d47794c922c39008f47100509946ca83844bead7432a091d23
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/3c4191fc-289f-4888-bb94-3bd6c6158758/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 5f49d62810e5391abb1cb952c714ebb391859a0c47f1a93ec61fdc4c15be4f55

MassLogger

Executable exe 392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52

(this sample)

  
Dropped by
MD5 a6db7b958455db8165bb75472d2dfd72
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69983/
  
Dropped by
SHA256 5f49d62810e5391abb1cb952c714ebb391859a0c47f1a93ec61fdc4c15be4f55

Comments