MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 434a27cd76f2c267f301de39d0a5a30b6fb3f3b21c273645743e9da16ea51489. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	434a27cd76f2c267f301de39d0a5a30b6fb3f3b21c273645743e9da16ea51489
SHA3-384 hash:	f27f21bdffe376234c6fa418555064b97ed7c4575126d4455c51543f6e417b83a13b5b8826f2366d605618d71ee9b298
SHA1 hash:	7d444e41a4cd1ee121cd22b2188416d0c6b0ec92
MD5 hash:	7443fcc564fc3310b29327ac59e51c5e
humanhash:	seven-six-stream-cardinal
File name:	EUROSWIFT_CONFIRMATION 1.pdf .exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'058'304 bytes
First seen:	2020-10-12 05:56:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:Df1ojWWHGtETBIaDNc7AJ1dWtxNMLJ23:DfQWWHGQCaDNcOdWFM
Threatray	1 similar samples on MalwareBazaar
TLSH	A93533A74F9023BEECBD0A7673C292E2917AC70B6061852D460A0F6FACDF7574190767
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: server.nigrc.com
Sending IP: 188.225.36.143
From: Accounts Payable NZ <accountpayablenz@nigrc.com>
Subject: Accounts Payable NZ shared a file with you
Attachment: EUROSWIFT_CONFIRMATION 1.pdf .gz (contains "EUROSWIFT_CONFIRMATION 1.pdf .exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69920/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/487946

Signature

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/434a27cd76f2c267f301de39d0a5a30b6fb3f3b21c273645743e9da16ea51489/

Threat name:

ByteCode-MSIL.Trojan.Sudloader

Status:

Malicious

First seen:

2020-10-12 00:11:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=infcptlw6lbgp4yb3y45bjndbnx3h45sdqttmrluh2o2c3vfcseq._file

Verdict:

unknown

MassLogger

Result

Malware family:

masslogger

Score:

10/10

Tags:

stealer spyware family:masslogger

Link:

https://tria.ge/reports/201012-fsr7qtymya/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

ServiceHost packer

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

434a27cd76f2c267f301de39d0a5a30b6fb3f3b21c273645743e9da16ea51489

MD5 hash:

7443fcc564fc3310b29327ac59e51c5e

SHA1 hash:

7d444e41a4cd1ee121cd22b2188416d0c6b0ec92

Link:

https://www.unpac.me/results/9e4bdbdd-b8ea-451c-881a-65dccf9d9204/

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/9e4bdbdd-b8ea-451c-881a-65dccf9d9204/

SH256 hash:

3feac9fde4bad278b370bf7c515cf1015d887781c9cff0ad4b1e663d98fd3ea8

MD5 hash:

9a54a67609c688fab6f9c8f39f0d0f9d

SHA1 hash:

bf59de017bda08b72dc6f163a37675ea80398a96

Link:

https://www.unpac.me/results/9e4bdbdd-b8ea-451c-881a-65dccf9d9204/

SH256 hash:

9c3028e6234c23e541a9cae694548fef37e342e0b0a67f782c8c4a3323dff20c

MD5 hash:

5e54476e580dbaeae32cab75776e58a7

SHA1 hash:

e53309b15ffb7e4abbea30ace0de5082cbdf4c25

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/9e4bdbdd-b8ea-451c-881a-65dccf9d9204/

Parent samples :

434a27cd76f2c267f301de39d0a5a30b6fb3f3b21c273645743e9da16ea51489
3f5ebf36b9ed89b4364063f68ce8a7dae8db6c37c206009ed5f3aaef1d2339e2
bcfe0d241a8b8749dfc05df3ed830a99df7c764c3d69e72851f736c24bcbab93
3c0957a9229442cae275329702b10d3a3045b1c666b00f0f67c4502fa4abe9d4

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/434a27cd76f2c267f301de39d0a5a30b6fb3f3b21c273645743e9da16ea51489

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf