MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f79b9e8017267d47794c922c39008f47100509946ca83844bead7432a091d23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f79b9e8017267d47794c922c39008f47100509946ca83844bead7432a091d23
SHA3-384 hash: 7aaeff8eb055de0c349a325fcdb985d55f642717dfb52c2d8fa643d9fc75be243d8eb28b6572e800d34978770e8a7c00
SHA1 hash: 32958a778dffeb4d0b6d5c338bf05ab0bc080cfb
MD5 hash: c36cf5d1221a81e978c73b69c8a2c878
humanhash: sweet-oregon-diet-cola
File name:skm-c558899007785432.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:965'120 bytes
First seen:2020-10-14 16:27:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:0Ih9Dw4fLlelA3JDIkTX8Rsxy1Hkgiixz0AO1xcd:PwcLVJ5b8Ky1HhiMIt1c
Threatray 324 similar samples on MalwareBazaar
TLSH C025F19C365072EFC81BCD368A681C54EA21B477930BD253A45725ADDA0EADBCF106F3
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: okchem.com
Sending IP: 156.96.47.18
From: jenny<jenny@gentlebeautycn.com>
Subject: Re:payment
Attachment: skm-c558899007785432.rar (contains "skm-c558899007785432.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70948/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.22364.1076.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/491497
Signature
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298305 Sample: skm-c558899007785432.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 88 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected MassLogger RAT 2->29 31 3 other signatures 2->31 8 skm-c558899007785432.exe 3 2->8         started        process3 file4 23 C:\Users\...\skm-c558899007785432.exe.log, ASCII 8->23 dropped 35 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->35 37 Injects a PE file into a foreign processes 8->37 12 skm-c558899007785432.exe 2 8->12         started        14 skm-c558899007785432.exe 8->14         started        16 skm-c558899007785432.exe 8->16         started        signatures5 process6 process7 18 powershell.exe 17 12->18         started        signatures8 33 Deletes itself after installation 18->33 21 conhost.exe 18->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f79b9e8017267d47794c922c39008f47100509946ca83844bead7432a091d23/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 13:42:33 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h543t2abojt5i54uzermheai6ryqauezi3fihbcl5llugkqjdurq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e
MassLogger
392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52
MassLogger
7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5
MassLogger
8878c46875d3b0d420bd76508490e5c6df7a55359d1d039f0edb145e836addb1
MassLogger
88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb
MassLogger
dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced
MassLogger
ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d
MassLogger
f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45
MassLogger
+ 314 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201014-64rmkdprhe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
a5f299d7cc0dc35a35e1643380157d68a82989be3519fc5ab47c1ac329add6da
MD5 hash:
1f9af68a524c391d64c62d3f7e593276
SHA1 hash:
522aa66b7255d662ec794d7fb204941b9a08cfd8
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/d7476f12-6b33-4b02-8d78-d9b290bdb10c/
Parent samples :
392a11f14ce7e214b9a464f5b91b990634c1d6ce96411b8ed0c3940a88f53b52
3f79b9e8017267d47794c922c39008f47100509946ca83844bead7432a091d23
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/d7476f12-6b33-4b02-8d78-d9b290bdb10c/
SH256 hash:
b8f636ae09fc5b47ca592d3b8c990e99d146e3a79363922723f4d2402f44a903
MD5 hash:
3633e1031cb54112509040502d76b84c
SHA1 hash:
fe380a0e9852c21903d0c35b925461f969f077b5
Link:
https://www.unpac.me/results/d7476f12-6b33-4b02-8d78-d9b290bdb10c/
SH256 hash:
3f79b9e8017267d47794c922c39008f47100509946ca83844bead7432a091d23
MD5 hash:
c36cf5d1221a81e978c73b69c8a2c878
SHA1 hash:
32958a778dffeb4d0b6d5c338bf05ab0bc080cfb
Link:
https://www.unpac.me/results/d7476f12-6b33-4b02-8d78-d9b290bdb10c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/3f79b9e8017267d47794c922c39008f47100509946ca83844bead7432a091d23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 6d0b8a0c8455d6d8f0332583070806971c2616aaa79d02376e4e7f62afb6a8f9

MassLogger

Executable exe 3f79b9e8017267d47794c922c39008f47100509946ca83844bead7432a091d23

(this sample)

  
Dropped by
MD5 821af6f713469f7f0ccc63403a1058c9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70948/
  
Dropped by
SHA256 6d0b8a0c8455d6d8f0332583070806971c2616aaa79d02376e4e7f62afb6a8f9

Comments