MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea
SHA3-384 hash: 1bc100e7b6fc7c83cd6075f475e8b02a3ecd5ef89ea9d89d19c209604a2650d41d2b8d245d403f11ef743fc5f028a56b
SHA1 hash: 62c4176372e2220c62e3a7fd35aa39fb20714bab
MD5 hash: 7f4eacda0b105913ee90d2215ec04966
humanhash: cold-montana-equal-fourteen
File name:UPDATED LIST.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:906'752 bytes
First seen:2020-08-13 10:27:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:IpMoKgeu3RbUHI1zpmwVXKT7aK0/jvi8b5XUlsI:QMoz5RbUH6/1++v35ElsI
Threatray 519 similar samples on MalwareBazaar
TLSH 681523835FCB8637C59911774A2810401BF28B9E00BBEFE5BD9143D95B78B8477CA29B
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rancasan.iixcp.rumahweb.com
Sending IP: 103.247.9.99
From: planet.trading@stepp.xyz
Reply-To: planet_trading@outlook.com
Subject: Re: ORDER
Attachment: UPDATED LIST.rar (contains "UPDATED LIST.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45084/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file
Launching a process
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/425837
Signature
Deletes itself after installation
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265494 Sample: UPDATED LIST.exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 68 22 Yara detected MassLogger RAT 2->22 24 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->24 26 Machine Learning detection for sample 2->26 28 2 other signatures 2->28 8 UPDATED LIST.exe 2 2->8         started        process3 process4 10 UPDATED LIST.exe 3 8->10         started        file5 20 C:\Users\user\...\UPDATED LIST.exe.log, ASCII 10->20 dropped 13 cmd.exe 1 10->13         started        process6 process7 15 powershell.exe 17 13->15         started        18 conhost.exe 13->18         started        signatures8 30 Deletes itself after installation 15->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 10:29:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqlscfjtkzcgolb2n3ylnwzfkkhbetxncbo2jfw3sxzgollredva._file
Verdict:
unknown
Similar samples:
2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043
MassLogger
262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541
MassLogger
2793ca2b4f702f2ddfcaeb0ccde6700da8b215b9894cf72adbece6a4d57a8e67
MassLogger
2a1b3187f7000dfb10dff758fe598e73e58d6864c5a4579e7c35acd88314ca20
MassLogger
2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce
MassLogger
75ec88e7dccc7e244413b855f91a0105d3349f318c6caa98eb0ba3cb31055647
MassLogger
8f8324aa2244c6ecc4369ef6e5ea25b405ecf48aef96e34cc04c56f6ad240ade
MassLogger
a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7
MassLogger
a990373e6225384bd1bab3441dc0cb881f1e03f51f83f7923ca6c9ff228bee5c
MassLogger
ce41031b56cdb4cf97a4c9e24b14ffd16672719457b5a394daa7a4ccb91591bf
MassLogger
+ 509 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200813-jtr8kvw4rn/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar e752acdb7d689a9d9590850207b69df1d01663e56b4d9d911bee6b2ab17c0bd7

MassLogger

Executable exe 4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea

(this sample)

  
Dropped by
MD5 74e63e2300aa18704f61a81b2e536557
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45084/
  
Dropped by
SHA256 e752acdb7d689a9d9590850207b69df1d01663e56b4d9d911bee6b2ab17c0bd7

Comments