MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4391d0f7038e267c0b8603c0ae2969f6070ad3a2653387fff68038c03f945012. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	4391d0f7038e267c0b8603c0ae2969f6070ad3a2653387fff68038c03f945012
SHA3-384 hash:	1c6cb9ade623cd2a4c8e25d08510dde3bdcf6ad3751d1b1695cbdc8e1a8a145747a45aade06e7e2910263b60cb1a8759
SHA1 hash:	cd85a16fade4044b553f825c48b8cc997ae91f4f
MD5 hash:	b9e9712d9b9ea1f346fedfea4a2479c8
humanhash:	carpet-green-gee-island
File name:	INV doc9450940983355523.pdf.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	972'288 bytes
First seen:	2020-10-22 16:12:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:lD/NeuSdQ/2tI9h+bty8/IN4BA1GUKzod:lD/Ne1dPIqbty8/pANKzo
TLSH	BE251250619DBB72D6BE4BF93058090583B61D5F67B2E3681CD336E66FB27008B80E63
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: m1mkyc5j.ni.net.tr
Sending IP: 89.252.168.52
From: trust@al-tuwaijri.com
Subject: ACİL REVİZE PI
Attachment: INV doc9450940983355523.pdf.uu (contains "INV doc9450940983355523.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/74703/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Creating a file

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/507459

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4391d0f7038e267c0b8603c0ae2969f6070ad3a2653387fff68038c03f945012/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-10-22 10:15:18 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ioi5b5ydrythyc4gapak4klj6ydqvu5cmuzyp77wqa4map4ukaja._file

Result

Malware family:

masslogger

Score:

10/10

Tags:

spyware stealer family:masslogger evasion

Link:

https://tria.ge/reports/201022-p4wgvhf9gn/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/76b19f5a-46f4-4db8-8238-bb026ef1e150/

SH256 hash:

683a70509a756f6d02ab720733c8807f0d9196b2299e8ee80ffbbfb5b20ef0bc

MD5 hash:

55030f1a1366696c4730ecb2fed99105

SHA1 hash:

32a07094bfd6ff3efe658e934e5bea985cbb6b03

Link:

https://www.unpac.me/results/76b19f5a-46f4-4db8-8238-bb026ef1e150/

SH256 hash:

f4d2bd5b76da73dc177e59130854387ec549ac8f7b3a5f150779515f588636b1

MD5 hash:

6488d0927bf6d6ee1dd949cf298c80cb

SHA1 hash:

c8e73bdab10d6bc3462d2a6c122d229c910d7e04

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/76b19f5a-46f4-4db8-8238-bb026ef1e150/

Parent samples :

3a174a8823aea425c1e4faae5879a783f18df206c436d12995e015448428caa3
4391d0f7038e267c0b8603c0ae2969f6070ad3a2653387fff68038c03f945012

SH256 hash:

4391d0f7038e267c0b8603c0ae2969f6070ad3a2653387fff68038c03f945012

MD5 hash:

b9e9712d9b9ea1f346fedfea4a2479c8

SHA1 hash:

cd85a16fade4044b553f825c48b8cc997ae91f4f

Link:

https://www.unpac.me/results/76b19f5a-46f4-4db8-8238-bb026ef1e150/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar e617e9a809ed5b682d8ee48d4a8cff379d8c5bcb8688da7b8b3f249185e8a135

MassLogger

exe 4391d0f7038e267c0b8603c0ae2969f6070ad3a2653387fff68038c03f945012

(this sample)

Dropped by

MD5 e00a45db193eb71cf958ecae5f33af30

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/74703/

Dropped by

SHA256 e617e9a809ed5b682d8ee48d4a8cff379d8c5bcb8688da7b8b3f249185e8a135

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample