MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
SHA3-384 hash: 0f120a00e5e15a88c7244ee1607f74137ee52391366be8deea4772f229e4d9a832d829527c341878ee7f0adc289fe5ed
SHA1 hash: 47df4cdf18c9cc0ad952d4d0a1b82984aacaeeb8
MD5 hash: 9284fd08945f0bd357151eaff2827b78
humanhash: connecticut-green-bulldog-princess
File name:Halkbank,doc.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'135'104 bytes
First seen:2020-11-18 12:18:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5113dec31b8616dbad783836e7188783 (11 x AgentTesla, 2 x HawkEye, 2 x Loki)
ssdeep 12288:Zl1aMljBMKnw6WJoGPb5FUoRAVyImHlaw/NpLtc2EaYhX5QoQHW86kFJ0zcrtHmG:RJCKxWfPNFwyIUlawlpLtctnBHyma+2V
Threatray 2'559 similar samples on MalwareBazaar
TLSH FB35C023A2A05873C12326788CCB5BB8AD3EBED0691B79873BF51D48DF792C13915197
Reporter abuse_ch
Tags:exe geo Halkbank MassLogger TUR


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: halkbank.com.tr
Sending IP: 180.214.236.23
From: T. HALK bankasi<ekstre@halkbank.com.tr>
Subject: T.HALK BANKASI A.S 18.11.2020 Hesap Ekstresi
Attachment: Halkbank,doc.r00 (contains "Halkbank,doc.exe")

MassLogger SMTP exfil server:
mail.buenoshoes.com.tr:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.bh.12664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541001
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 12:19:05 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbbt4cq4d6yirrn6g7fjoycin7ixxom3qsebpcalkya6o4kq4hea._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0cb22d3d57812fd7f79b93f77efe33302e171b29f540f3883239f31228966a17
MassLogger
28578186c2a667b64ff27d2200a256593949c65de620f102bb8e0a16202df404
MassLogger
36d9e1dd85890fa27253ebdfcad75e36e75dafbb0f5ef59b0bb26de04308c80a
MassLogger
37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
MassLogger
3a689219d90ea18f5465111bdededd47656ff55210813139e246b44d3099a30f
MassLogger
8b57afe96667b88596d51dabfee3359371f517cf97a758473eae0f9d2aa97db9
MassLogger
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
MassLogger
ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808
MassLogger
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
MassLogger
e6dfcee5a6edf1015136b0173ff2bb953982545f581ecf4a6fdd922c2818c609
MassLogger
+ 2'549 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer upx
Link:
https://tria.ge/reports/201118-3bsmvz1sns/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
UPX packed file
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
MD5 hash:
9284fd08945f0bd357151eaff2827b78
SHA1 hash:
47df4cdf18c9cc0ad952d4d0a1b82984aacaeeb8
Link:
https://www.unpac.me/results/07ae0820-b96e-427c-95d3-22b6e525dd33/
SH256 hash:
d2e8fdda571fab2369b8ef03a31599cca12769b671f4b6fdd834be409c69e325
MD5 hash:
7812283b6755d64387b920d1647e23a7
SHA1 hash:
5de53822f2b69758fdd44cd4acff130fd3e1499d
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/07ae0820-b96e-427c-95d3-22b6e525dd33/
Parent samples :
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
SH256 hash:
820536107d108155b42a886b01dde97d5e9cee212af939c35e7c77536f9966e0
MD5 hash:
64f6b57845393cd6b95501c9dfbaaafb
SHA1 hash:
6bcd774d68ca96e5216291d067662de7c68b2279
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/07ae0820-b96e-427c-95d3-22b6e525dd33/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 f1e33255ce7680401a386403eddd564844f701ef8ab3751477f5d52437bb3c72

MassLogger

Executable exe 60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8

(this sample)

  
Dropped by
MD5 b52bfbb49e0297ed876feed660b6f8db
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f1e33255ce7680401a386403eddd564844f701ef8ab3751477f5d52437bb3c72

Comments