MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d5405cf3198047a427b4da472f40ab86a0cd75b9c07f3b8be17e6bca87c149f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d5405cf3198047a427b4da472f40ab86a0cd75b9c07f3b8be17e6bca87c149f
SHA3-384 hash: 71f90dbab8f4655c0fb456e0004a15691ec5e99064d89485238c1030103f7a8e9b9465dce28914bcbddab12617720dc4
SHA1 hash: e49516c4a27378cd29d15d0253871be3e9cc6a15
MD5 hash: febe72287982a2f1bec5923deb36cbad
humanhash: berlin-two-edward-paris
File name:New PO0042.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'093'632 bytes
First seen:2020-07-29 14:40:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:vivOmvf6RgvYTlxye9SRNXEOuFKXJUEIWkqZ:vArfS5xPYUOuFKZll
Threatray 588 similar samples on MalwareBazaar
TLSH 43350268B6E5C524CBBE1239E2ED0900CFFC91956537D76D3988A3AB1CE3792F4041B9
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: als.sparkmail.jp
Sending IP: 202.233.10.33
From: asep.yusuf@ngehe.com
Subject: New POs - Ready for payment
Attachment: New PO0042.gz (contains "New PO0042.exe")

MassLogger SMTP exfil server:
smtp.gmail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35004/
Detection(s):
SecuriteInfo.com.Fareit-FXUFEBE72287982.27662.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading Telegram data
Reading critical registry keys
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Deleting a recently created file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/402770
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d5405cf3198047a427b4da472f40ab86a0cd75b9c07f3b8be17e6bca87c149f/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 14:42:12 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lvkaltzrtachuqt3jwshf5akxbvazv23tqd7hof6c7tlzkd4cspq._file
Verdict:
unknown
Similar samples:
0352d55cf10867420b433bcd9adfdb0e39afe2484db5c57946bb86297a39ecbd
MassLogger
0b8816ca9d3b6f03b3a60637504d206815c6bf230cf410ccce9af1bdea3d2839
MassLogger
180e4218ee6183934cbb4750a6394ab8faa8910ad2215df3334323f43e161758
MassLogger
3260e8fc7872ff596b2f284a7731619f46311c301be2b04f0910b5f7887b8fb9
MassLogger
38620b79b0821d5fc2a7e230a3e2c31f30773a749451c3618414d83f82e884e9
MassLogger
473a8f77c574d92bdce8c6537a67e053162b745128fcfbb48a873dc57e6e5321
MassLogger
9ec8e30fe5bac7ee3e9c096fc3702286d6c0fbee3ae1fa4cd7d5a6a411b600e5
MassLogger
a330dfb1074f6b02e49e5835f820821b0e75f691dac46057332381d172f640ea
MassLogger
b770e145ef0e53fe2df0d45b04230e97dd214e209bfe9860dfa56988dd7d1796
MassLogger
d04dfa9f36d64e850ec774b59542cf7e07167144fd6646c3cb3a99740ff75ce0
MassLogger
+ 578 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200729-kq2yqsf1me/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/5d5405cf3198047a427b4da472f40ab86a0cd75b9c07f3b8be17e6bca87c149f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz 034e6fae9136bedf31c6fa7cbc23cbf87ae34a4fb21a200314a4bc0f8b706a8b

MassLogger

Executable exe 5d5405cf3198047a427b4da472f40ab86a0cd75b9c07f3b8be17e6bca87c149f

(this sample)

  
Dropped by
MD5 dd831fba44e0a0ac10a970bd2471e922
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35004/
  
Dropped by
SHA256 034e6fae9136bedf31c6fa7cbc23cbf87ae34a4fb21a200314a4bc0f8b706a8b

Comments