MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 433c68e89fe741e7ec59e064861baf726ab0b8637849d9d92fa5e3a2819d211c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 433c68e89fe741e7ec59e064861baf726ab0b8637849d9d92fa5e3a2819d211c
SHA3-384 hash: c7144d63b85d85321e45d45b709a1fbfae54959417837b3aa47953c3d566eb7c5f7f847ae8d5c665ccb5fbb617930e2d
SHA1 hash: 2c0db45e4852ab67255f78fe6921ada7a305244e
MD5 hash: c4cf28c1d5e4da94c3391b90cd91671d
humanhash: carolina-kilo-december-vegan
File name:payment swift.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:952'064 bytes
First seen:2020-10-23 07:02:36 UTC
Last seen:2020-10-23 13:00:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:jGYyJwNP6DOvhVOmrQDz5YaU9WvaOwW1NAm16i+SnazTvvI:jZC5m0DGxWvFwWjAm3jaHvvI
Threatray 381 similar samples on MalwareBazaar
TLSH 55158D8A69CA8C7599F869FC12F7210456F0B1B33665EE3B4CC0E1E5D9703961BC7E0A
Reporter abuse_ch
Tags:exe MassLogger

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Oct 21 06:01:46 2020 GMT
Valid to:Oct 21 06:01:46 2021 GMT
Serial number: 40FBDA49ECC6888BD9F8DC602BAAC025
Thumbprint Algorithm:SHA256
Thumbprint: 99F18212620DBB67DD2B6BF7800D9EE9118226CB8D136A2DE9E6C90305212A2D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: gmail.com
Sending IP: 185.222.57.73
From: finance@actonacompany.com
Subject: FW: payment swift
Attachment: payment swift.zip (contains "payment swift.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Spynet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74966/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.40632.3952.5712.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507856
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 303053 Sample: payment swift.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 57 pastebin.com 2->57 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected MassLogger RAT 2->75 77 14 other signatures 2->77 8 payment swift.exe 24 6 2->8         started        13 payment swift.exe 2->13         started        15 payment swift.exe 2->15         started        17 payment swift.exe 2->17         started        signatures3 process4 dnsIp5 65 pastebin.com 104.23.98.190, 443, 49736, 49741 CLOUDFLARENETUS United States 8->65 67 192.168.2.1 unknown unknown 8->67 53 C:\Users\user\AppData\...\payment swift.exe, PE32 8->53 dropped 55 C:\...\payment swift.exe:Zone.Identifier, ASCII 8->55 dropped 81 Creates an undocumented autostart registry key 8->81 83 Adds a directory exclusion to Windows Defender 8->83 85 Hides threads from debuggers 8->85 19 payment swift.exe 8->19         started        23 powershell.exe 24 8->23         started        25 powershell.exe 25 8->25         started        33 3 other processes 8->33 87 Creates autostart registry keys with suspicious names 13->87 89 Creates multiple autostart registry keys 13->89 91 Injects a PE file into a foreign processes 13->91 27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        31 powershell.exe 15->31         started        35 2 other processes 15->35 69 104.23.99.190, 443, 49744 CLOUDFLARENETUS United States 17->69 file6 signatures7 process8 dnsIp9 59 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.169.38, 49742, 80 AMAZON-AESUS United States 19->59 61 nagano-19599.herokussl.com 19->61 63 api.ipify.org 19->63 79 Tries to steal Mail credentials (via file access) 19->79 37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/433c68e89fe741e7ec59e064861baf726ab0b8637849d9d92fa5e3a2819d211c/
Threat name:
ByteCode-MSIL.Spyware.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 11:06:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=im6gr2e745a6p3cz4bsimg5pojvlboddpbe5twjpuxr2fam5eeoa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
075522bcd1e68ecf9dd038bcfc839f2112f32d0ee8c38028bcc054dbb0fccd67
MassLogger
2fea8f7c727460dfd943dce7f9bb051f188f37a0150a132039a1892f18749ff3
MassLogger
70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c
MassLogger
8b1e278db9ecbeda3510a251e207576256e5cfe3171becac7c8b5758f2ca3a9a
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
a2b0e9c1ea03a3a538fe9ef7f8e6dbf4c08feba8560e238e29fce0dd2f2e144b
MassLogger
b49f4c0a41fe65d3e81919eae65adb01d493e08331e0e3652b30655d55170d52
MassLogger
b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f
MassLogger
c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca
MassLogger
cbfa5e02ca4acf68dcfa7d286275cf1a6d424d4fe74bf840fc5452cfc3680f1e
MassLogger
+ 371 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
stealer spyware family:masslogger persistence evasion trojan
Link:
https://tria.ge/reports/201023-6ct7y5qbts/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Windows security modification
MassLogger
MassLogger Main Payload
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
433c68e89fe741e7ec59e064861baf726ab0b8637849d9d92fa5e3a2819d211c
MD5 hash:
c4cf28c1d5e4da94c3391b90cd91671d
SHA1 hash:
2c0db45e4852ab67255f78fe6921ada7a305244e
Link:
https://www.unpac.me/results/dc4f3a89-1430-4520-aa46-e85e70978af6/
SH256 hash:
ee619ce281d8c1969f602533d355752822ea0cb196225620f968a9d75ff25f1e
MD5 hash:
ca3fb9dd76455136a6087117058b04d5
SHA1 hash:
688baba220f390a1566144abd64b93469b2d716a
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/dc4f3a89-1430-4520-aa46-e85e70978af6/
SH256 hash:
e66ff8f0f5a8c5c7f39c728a782fbec3e5dfcef169a95cadbcbf9267c07bd332
MD5 hash:
966bd526470c74b42ee63dc0ed23f94a
SHA1 hash:
703713c5edb6086fd32d332c5051f88fce7f6e6c
Link:
https://www.unpac.me/results/dc4f3a89-1430-4520-aa46-e85e70978af6/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip f9bebc15ea243aab82c91f22098a4dd0c50404346e5c0c2c4f507e4b1223d9ba

MassLogger

Executable exe 433c68e89fe741e7ec59e064861baf726ab0b8637849d9d92fa5e3a2819d211c

(this sample)

  
Dropped by
MD5 5cbfddc1c8d0445501a44500dd99d326
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74966/
  
Dropped by
SHA256 f9bebc15ea243aab82c91f22098a4dd0c50404346e5c0c2c4f507e4b1223d9ba

Comments