MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 573b66612f43bd09c655707f60f7a54be3afad50a7de1bd831e26edf3359b069. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 573b66612f43bd09c655707f60f7a54be3afad50a7de1bd831e26edf3359b069
SHA3-384 hash: 87244def87864c131f8e9ab3e5bb6db864c2edb2cae05afd7d10b7f7864b3ad0cd0e44e75132cb226f656eac155b1a72
SHA1 hash: 233eabf33f2a3e2cf53c68540e5c3f5ddb91b389
MD5 hash: bc3612c3da850921b8d6aa49aad594e6
humanhash: princess-uncle-asparagus-speaker
File name:Contract No 12532019.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:940'032 bytes
First seen:2020-10-22 07:07:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:4LA6aBHOYQZ068RVgOrEYysqGksfOkPlBMwOdA1GUKzod:z6UOYY0dDgOrssqGvWk96wyANKzo
Threatray 388 similar samples on MalwareBazaar
TLSH 581512606199B732E3BE8BF6305C450E83B6016E57B2F7644DE377ED2AA1B048790D53
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: bashan.com.tr
Sending IP: 103.114.106.7
From: ORHAN <hande.us@bashan.com.tr>
Subject: BASHAN - ADIYAT MARKETING - Contract No : 1253/2019 - >First shipment - MAERSK
Attachment: Contract 12532019.zip (contains "Contract No 12532019.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74512/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506705
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/573b66612f43bd09c655707f60f7a54be3afad50a7de1bd831e26edf3359b069/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 05:57:24 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k45wmyjpio6qtrsvob7wb55fjpr27lkqu7pbxwbr4jxn6m2zwbuq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
MassLogger
5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c
MassLogger
583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078
MassLogger
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
MassLogger
6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
MassLogger
6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c
MassLogger
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
MassLogger
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
MassLogger
dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
MassLogger
f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
MassLogger
+ 378 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201022-3dde3gkj96/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
573b66612f43bd09c655707f60f7a54be3afad50a7de1bd831e26edf3359b069
MD5 hash:
bc3612c3da850921b8d6aa49aad594e6
SHA1 hash:
233eabf33f2a3e2cf53c68540e5c3f5ddb91b389
Link:
https://www.unpac.me/results/c0547b4d-a64b-4b7f-950e-5f1ea22f71a0/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/c0547b4d-a64b-4b7f-950e-5f1ea22f71a0/
SH256 hash:
4086f1cea6921f368a92e1adbf42d787a59f0b3971e4124b947191546653ca12
MD5 hash:
6590320ff5c4f7b677eae84cc3840a09
SHA1 hash:
5e3af049b2fc1d3a5026a27d189c13c90ec71c5f
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/c0547b4d-a64b-4b7f-950e-5f1ea22f71a0/
Parent samples :
88d7ccc6752536d44a533c184e24437ec1181dc841ed7c1fa6bcc408add5340e
4d52797ef29c39adff40c2e0e86ed50ba242028a82af1041d8dff12820bf2a5f
ebfa0ae13cafa77bd2f1da27f39b9a929e101ae2a5633b1b248d7131bcb25ee4
a488227da2824a44b2f2ef864c8cae1cee150d455918986dd5718d1392ad77af
d58538fee18c00f55def8bcaee383bc186440ddd55cb24ab8840cab62183e2ab
fce44d4ea50194f48988cd604e3bd7fa580f9d55ebc1c8c1da791c0737133a9f
e1b5aa4851cd69669566e48206ea250711a3373df342b9417271b7700d24d187
573b66612f43bd09c655707f60f7a54be3afad50a7de1bd831e26edf3359b069
SH256 hash:
c9192555f0b9d6bd6be81748a08c90b67f101c78d72ef31a4a301f491c4ee49c
MD5 hash:
1780a7da71b1e73291a09eaea96a9940
SHA1 hash:
c9c3bd04fd0c3149a8b05bfd707335d05e28c80a
Link:
https://www.unpac.me/results/c0547b4d-a64b-4b7f-950e-5f1ea22f71a0/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip b3daeb7d62a01ac9787f2c702b1e7fbdbdd8d9a386f3c192bf91a277adc020bc

MassLogger

Executable exe 573b66612f43bd09c655707f60f7a54be3afad50a7de1bd831e26edf3359b069

(this sample)

  
Dropped by
MD5 605799b639c55aeefa38846a753fa203
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74512/
  
Dropped by
SHA256 b3daeb7d62a01ac9787f2c702b1e7fbdbdd8d9a386f3c192bf91a277adc020bc

Comments