MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9
SHA3-384 hash: 59220002e26716ba115a7274f2c46844299f9b9e8e71c85e2c35f8a6609bfa497469aeaf11866c043e1c575db0869f4e
SHA1 hash: 67a3f94a336f948ae05ff0602da65a280724d20a
MD5 hash: de4c844f35d52505811b90bd71c5c0c4
humanhash: pasta-fix-fourteen-connecticut
File name:RFQ_200827073--(MH202514)---01-90160-R0-(A1Jay inc).pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:533'752 bytes
First seen:2020-08-31 12:23:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:I5hwRr+lqfMc3qm1dVSTh+tJhfuDRNFIWTsk2xDtJ85l1p2+Bx2KNt:I5hGJN5O8DOFvsDFwX
Threatray 28 similar samples on MalwareBazaar
TLSH E2B4F1DD762072EFC817C4B2DE581CA8EF2075BB571B4113A02761ADAE4D68BCF191B2
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: williamsrecognition.com
Sending IP: 31.168.40.90
From: Judy .M <judy.m@williamsrecognition.com>
Subject: NEED RUSH QUOTE
Attachment: RFQ_200827073--MH202514---01-90160-R0-A1Jay inc.pdf.z (contains "RFQ_200827073--(MH202514)---01-90160-R0-(A1Jay inc).pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53499/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.6936.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455419
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 04:37:56 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2odhc3aeltewvt4uwlvwm7szitoy57dxbot3s23ruqaeqltgpmq._file
Verdict:
unknown
Similar samples:
7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5
MassLogger
8bd39d451b99909467edb3df6618762071da426ee580108882e300cf8b21b0cb
MassLogger
9b19c9209b2ae45df8c1d9d9f9b4e00f3d6c9edfb4ff64578d06a5a3f0a099e2
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3
MassLogger
c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca
MassLogger
d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb
MassLogger
dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced
MassLogger
e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0
MassLogger
ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d
MassLogger
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200831-hlkdnxas1x/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 5a197b6d552d591e6f885873a6047214956e3f0af7e5f51c4d5d9419c04e2390

MassLogger

Executable exe 669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9

(this sample)

  
Dropped by
MD5 3eae25c323064ef882312be045b4e148
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53499/
  
Dropped by
SHA256 5a197b6d552d591e6f885873a6047214956e3f0af7e5f51c4d5d9419c04e2390

Comments