MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fe6f0c6283425f0589192cad9f392ce4d2bbfe085b8cc47b91eb2508c6ab2c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fe6f0c6283425f0589192cad9f392ce4d2bbfe085b8cc47b91eb2508c6ab2c7
SHA3-384 hash: 7904d6be00a36892d1f0c03ff16baf1e0bfc07bbad10ee06b919700b0548bf4b0389129fc8941f2e196c13b2252cc113
SHA1 hash: 8e7b2c8812993837408c1beda18349869ec6292e
MD5 hash: ed692baa179d0637827bded64d462396
humanhash: green-uniform-mobile-summer
File name:Alhammra RFQ 005-0111.PDF.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'208'320 bytes
First seen:2020-11-06 07:23:35 UTC
Last seen:2020-11-06 08:43:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:S9Vpuw/R5Pfjv470By6y9dj54YJEZ+XQlA0RtZNr03Qsf:c/7gII5j53JO+glXt0gw
Threatray 493 similar samples on MalwareBazaar
TLSH 7245D0FA6282E76BC40F003FF84B256193D9DB6E59F8804697C5B51D127C6CE66BC08B
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: whmsrv01.virtualariki.com.br
Sending IP: 177.11.209.2
From: Miguel Alonso <malonso@alhammra.com>
Subject: Alhammra Request for Quotation
Attachment: Alhammra RFQ 005-0111.PDF.r00 (contains "Alhammra RFQ 005-0111.PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.913.23583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/522171
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fe6f0c6283425f0589192cad9f392ce4d2bbfe085b8cc47b91eb2508c6ab2c7/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 05:27:01 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7tpbrrigqs7awerslfnt44szzgsxp7aqw4myr5zd2zfbddkwldq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
350e219c13047857943a54ec0f55a0db19e2980cbff9d73f1aea34b9bd0b17de
MassLogger
37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
MassLogger
420964e0ddf92963742717a6101a8a1ba18882ad7187a5cf0b586d717b87dfb7
MassLogger
4887639a62fab8baa56b119e5f05ec897ff95ec2b03833fc93cdc6a434f704b1
MassLogger
4f36b4eb0d565ea62c101d519b263f900409c38d769ad365ac85afcd8efa6fa8
MassLogger
86c47856c1763cd1fa746ad990a69b1c3f5c783cdb68b18c9335af1d6b65fbb4
MassLogger
8bb96bc7a886ac113b6fbbd8c07e7e6629fc695d7558a28cb8b0fa6c77ce9100
MassLogger
c930deb75ebc8fd117d585898358df69af8ce6ffe9569ef5f47ad9fc6f26d01e
MassLogger
ca461421154f0bfaa9b24b0ed5ea776ddeffc9775e3fdb4da1339dcc352468c6
MassLogger
caae4001f524c83a5c3c3b7f7a56d3344d9de742eadbfc54bf3e7fda14354392
MassLogger
+ 483 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201106-tkswhtt7sj/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
4fe6f0c6283425f0589192cad9f392ce4d2bbfe085b8cc47b91eb2508c6ab2c7
MD5 hash:
ed692baa179d0637827bded64d462396
SHA1 hash:
8e7b2c8812993837408c1beda18349869ec6292e
Link:
https://www.unpac.me/results/90976354-80a8-400f-9396-9e4ca9e0c8a7/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/90976354-80a8-400f-9396-9e4ca9e0c8a7/
SH256 hash:
7788d06b5c2d22b6adaca45d3a9e8a664ec1757865844612b73d4c9e68edfb89
MD5 hash:
49e12efa45919f5baeeb43f2e68e773d
SHA1 hash:
4e73a5b57f3641f170e34ef68c388d0c7469a82c
Link:
https://www.unpac.me/results/90976354-80a8-400f-9396-9e4ca9e0c8a7/
SH256 hash:
b07eb1b18052fe02e2dee07f5d65bbb906163a364690bdbeb599d64882a49c61
MD5 hash:
4bf951387d15470b044fa63427cd03aa
SHA1 hash:
f582cfc299b4a63ea7cbcdd6e61fb39020c326c0
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/90976354-80a8-400f-9396-9e4ca9e0c8a7/
Parent samples :
d289aa3e60f3ab62850fb533294c99a08995da13ec6d73ed23a0d1d2312ab1c3
4fe6f0c6283425f0589192cad9f392ce4d2bbfe085b8cc47b91eb2508c6ab2c7
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 5cbbc00f42cf7d1775077f2417a155cf7ca5c08d73f16f9cccc1e202f08ff677

MassLogger

Executable exe 4fe6f0c6283425f0589192cad9f392ce4d2bbfe085b8cc47b91eb2508c6ab2c7

(this sample)

  
Dropped by
MD5 f379de2acf455bb58390fa197bbcd09e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5cbbc00f42cf7d1775077f2417a155cf7ca5c08d73f16f9cccc1e202f08ff677

Comments