MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99
SHA3-384 hash: d1d8c79fb017882b0d2f8c2bf66f06c4e7d20f7950e3918a547af3d800b9eaab0244f4e2d929f2fbe0644713903d72b9
SHA1 hash: 3ea0f19668a030eeb701724a9bff519a278ce893
MD5 hash: 5c9f5be800dbe2bf280a1d5530ce1963
humanhash: low-emma-washington-winner
File name:urgent inquire.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'008'640 bytes
First seen:2020-10-13 10:33:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:TlMtfXFzXISe4kUwV1MZu/EtfkxcsT/wwgjcx2x0L0BwK6RN39GYDQ8B4xnzL:T6BX1XItViZzfkJTD72e4Bwzy8BazL
Threatray 420 similar samples on MalwareBazaar
TLSH 7625F13B22F95B22E03EEBBC5520458807F2E987F726D64E7EB951A84157FC607A1703
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: tayoco.com.tw
Sending IP: 220.130.88.163
From: "EyĆ¼p Sarikaya" <info@marcegaglia.com>
Subject: urgent inquire
Attachment: urgent inquire.r00 (contains "urgent inquire.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.445.692.6736.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489495
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297190 Sample: urgent inquire.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for dropped file 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 11 other signatures 2->39 8 urgent inquire.exe 7 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\DtpqcmKqg.exe, PE32 8->23 dropped 25 C:\Users\...\DtpqcmKqg.exe:Zone.Identifier, ASCII 8->25 dropped 27 C:\Users\user\AppData\Local\...\tmp98E7.tmp, XML 8->27 dropped 29 C:\Users\user\...\urgent inquire.exe.log, ASCII 8->29 dropped 41 Injects a PE file into a foreign processes 8->41 12 urgent inquire.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        signatures5 process6 process7 16 powershell.exe 17 12->16         started        19 conhost.exe 14->19         started        signatures8 31 Deletes itself after installation 16->31 21 conhost.exe 16->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 05:30:53 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lxmm67tytpbwvgqgtt2cer7xldujad4jcpei4wwiimungdtnpsmq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
3e695a89076841d73f8bc2984ab615906d0896dcee90ee84317228b34bedae9f
MassLogger
7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9
MassLogger
878b1afca7f6abb75868553fe02bfc0a2a09f9f9f72e1f9386f31f5abb9f5805
MassLogger
9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
MassLogger
bd5f6e5567639e5e1c4619a02ff2db2eb3242cd6e25e50f7b7559202fc7f061c
MassLogger
cc0807a29f920ca94099399975ae3d52b741d6f1387ea3fb26c44b1bc22cd95c
MassLogger
ccc3b2be409e5a8b8166f6ff51feb068ba05c6dfb4e31fd34e8a853970bd3a40
MassLogger
df24f7a07b85a3e878b8dfd7df926a1c613bbf99d070bc60fcbde5c2fc1d6209
MassLogger
e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca
MassLogger
f421278f47d19d423deb950eb7dda7674fdfbd008e7ca3af783d79cde0b1738a
MassLogger
+ 410 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201013-fk1b51elmx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
9f6a14117a3c7be6a00895df2741aeba6fd29c4e7089c2ab20684d7288d6a77b
MD5 hash:
20128fe828639acb782320b3bf9862cb
SHA1 hash:
3b933a614280a54635b18f29612386678c943fab
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/07690a89-16ca-478b-8a35-1afd807c4a24/
Parent samples :
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/07690a89-16ca-478b-8a35-1afd807c4a24/
SH256 hash:
0d2c93c617306e98e78387398b4a15404f65f8f9e299a5ef3cff389f1c6e775e
MD5 hash:
b322f4df251b20a1e90f607f3c04026a
SHA1 hash:
6362b81521796851e1c2c950fd6ac84bdc59024e
Link:
https://www.unpac.me/results/07690a89-16ca-478b-8a35-1afd807c4a24/
SH256 hash:
533fc2122a873517f42da82600bf810bfc877b11414f05949c64a2d5ec3de369
MD5 hash:
a4f631308d2a1ca1fab59315755d5d1c
SHA1 hash:
21521b97ac519abf6bf805894e656324cb9934e4
Link:
https://www.unpac.me/results/07690a89-16ca-478b-8a35-1afd807c4a24/
SH256 hash:
5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99
MD5 hash:
5c9f5be800dbe2bf280a1d5530ce1963
SHA1 hash:
3ea0f19668a030eeb701724a9bff519a278ce893
Link:
https://www.unpac.me/results/07690a89-16ca-478b-8a35-1afd807c4a24/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 75e786e71f849da51ed01afdc692342f981e39a3d8be50987730f764cd267eec

MassLogger

Executable exe 5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99

(this sample)

  
Dropped by
MD5 74120abcb02ec4a6b2bea154ad1f23ff
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70371/
  
Dropped by
SHA256 75e786e71f849da51ed01afdc692342f981e39a3d8be50987730f764cd267eec

Comments