MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48911ded8eb1be557009ec74a427c92481389c32e01c8a1c8935aa8db52bb558. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: 48911ded8eb1be557009ec74a427c92481389c32e01c8a1c8935aa8db52bb558
SHA3-384 hash: 5ade99c5fc679d2060268020cd8ef04924997c33228e4ca6eb424247957ef4f64b0086919e9755fa98ba43a1b0d53629
SHA1 hash: 4ba4982569306007e25754d9ae75d274125dae3d
MD5 hash: bbd118140f15fd857e0dcda4382a2d11
humanhash: yellow-mobile-louisiana-uranus
File name:DHL.PDF.exe
Download: download sample
Signature MassLogger
File size:1'113'600 bytes
First seen:2020-06-29 09:04:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:QcEli0pjcl73RUn8LxXx77MJRB0WJ1a5JYqlvabsB9xNB4PtzPtsEa6IBKclio8J:Q98JlNUiD7MOWCnxU4f4BRHsOGzuu1FS
TLSH BD356B003FB09C13E89A01B154147E8B1D7DA943E4D5E26BBB7236E455729BFE6B8C0E
Reporter @abuse_ch
Tags:DHL exe MassLogger


Twitter
@abuse_ch
Malspam distributing MassLogger:

HELO: ceruler.com
Sending IP: 23.108.57.211
From: DHL Express International <info@ceruler.com>
Reply-To: infodhl_internation@fastservice.com
Subject: DHL SHIPPMENT ARRIVAL NOTICE
Attachment: DHL DETAILS PDF.z (contains "DHL.PDF.exe")

MassLogger SMTP exfil server:
mail.mytravelexplorer.com:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
32
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-06-29 09:06:06 UTC
AV detection:
23 of 31 (74.19%)
Threat level
  5/5
Result
Malware family:
masslogger
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger

Yara Signatures


Rule name:masslogger_gcch
Author:govcert_ch

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 48911ded8eb1be557009ec74a427c92481389c32e01c8a1c8935aa8db52bb558

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments