MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20
SHA3-384 hash: 4cac334c8149d529c988e761384c224c659ade072005ea8b17660b287cc25613d663770eeaeefe74ca0b6c08eb6ea042
SHA1 hash: 3cbfcdb8b5f7bcab7bd09125627228bee497faba
MD5 hash: ff65414919a5ca429bd872a4f5ae696a
humanhash: fish-oscar-minnesota-robin
File name:Shipping Doc 3454.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:993'792 bytes
First seen:2020-10-17 06:33:54 UTC
Last seen:2020-10-17 08:03:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:DWtQPDCGmBosyPIg+SMvLATM8GyAbH7sNn9Vn1Tc1H+4ZhQt:IQPDCGmBoswIg+NMD4H7shrnpaH+c
Threatray 379 similar samples on MalwareBazaar
TLSH 1B25F0356759EF64E07E433BE4A4186483F9EC4AD332D62A7DE832CD66A1FE45122307
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: cgi.centirn.net
Sending IP: 68.183.61.5
From: Aamir Shiwani <info@centirn.net>
Subject: BL Draft
Attachment: Shipping Doc 3454.zip (contains "Shipping Doc 3454.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Masslogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72448/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44093020.23283.14805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Sending a UDP request
Creating a window
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/494277
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299589 Sample: Shipping Doc 3454.exe Startdate: 17/10/2020 Architecture: WINDOWS Score: 92 20 Malicious sample detected (through community Yara rule) 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected MassLogger RAT 2->24 26 5 other signatures 2->26 8 Shipping Doc 3454.exe 3 2->8         started        process3 file4 18 C:\Users\user\...\Shipping Doc 3454.exe.log, ASCII 8->18 dropped 28 Injects a PE file into a foreign processes 8->28 12 Shipping Doc 3454.exe 2 8->12         started        signatures5 process6 process7 14 powershell.exe 19 12->14         started        process8 16 conhost.exe 14->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 14:06:19 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmluej7kjhjq6m3y5bdj3gcjaflxtvwt3jztgowqwodecg723yqa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1d3286d29155618ebaf43cfebc809f80daa7d247b9e3c872ea5c48c8109afcd0
MassLogger
1e3f14f932364db4904b69fce12e373e6354f4291dcda0d82a8477a21a9a803f
MassLogger
4e3fbf643241ed1d88707fd4a022c5fb312a75004af4ef18adb0b0fc47e6f5b7
MassLogger
5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99
MassLogger
74162983ed626c05ba65a31fa71a81ff2bc4cabcfe5019a94f63dc32ae873f23
MassLogger
7428f5ccb3fa2d0ba8b295efd15c9acc87674180aa1d3bf71e8b91cd0a038381
MassLogger
76f57a95f53a1affc3605793c7472f2825b3b0db5f1cd3864136704ebd412803
MassLogger
8f24b4adb843172c14b392bcf73f1f46ac8a20091cb22649110bb937f84b281c
MassLogger
aed72cebee92e2652dddfbec6aa2b2728183b03c62835a2a860480963cae856f
MassLogger
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
MassLogger
+ 369 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201017-8gczf6t996/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20
MD5 hash:
ff65414919a5ca429bd872a4f5ae696a
SHA1 hash:
3cbfcdb8b5f7bcab7bd09125627228bee497faba
Link:
https://www.unpac.me/results/cc7e1b31-a2d1-4c00-a707-d5fd5f5c88c8/
SH256 hash:
6c0077296db671c7d64671fc38f75db6e12a514bec907a25333434713627d3e5
MD5 hash:
f60ad9db856b088a82ca98183f52fc40
SHA1 hash:
0c7a36a0cfdb85d2e8fa2077ad4126fe8e92d2f4
Link:
https://www.unpac.me/results/cc7e1b31-a2d1-4c00-a707-d5fd5f5c88c8/
SH256 hash:
8c031397e063406a2b6a6ed0d6de292bb36750fd6fe32123f011940c8b583b27
MD5 hash:
be49223d4acfed6277d12f4a419eceb2
SHA1 hash:
0ebac4503ea7cf7c79511e857e848695d3700e7c
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/cc7e1b31-a2d1-4c00-a707-d5fd5f5c88c8/
Parent samples :
4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20
3909d98e17a32e0f29fbe151a84907b5319b2f8317ba04a8c55ad9668db37e3b
SH256 hash:
b5e9263bd3fb46b7b419faeb1079936b80cd455803dd88ce18a484fe83d8c255
MD5 hash:
cb53acb81c32e4a963e4114055b9ef1e
SHA1 hash:
4ee0bf72aa063284f8ed419554dfb806d0f8425e
Link:
https://www.unpac.me/results/cc7e1b31-a2d1-4c00-a707-d5fd5f5c88c8/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/cc7e1b31-a2d1-4c00-a707-d5fd5f5c88c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 99d55ebeea7a36f5c9549b16ee65675a327edb4c2e43833f3a94a2fd6d200f39

MassLogger

Executable exe 4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20

(this sample)

  
Dropped by
MD5 c5dc77fff04ead65e4bb9d2da72c5e92
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72448/
  
Dropped by
SHA256 99d55ebeea7a36f5c9549b16ee65675a327edb4c2e43833f3a94a2fd6d200f39

Comments