MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6
SHA3-384 hash: 1a3ab0ea0b934e75f2cbef7f7a205e9278d24f446d424e7202333dc53137f97979d84e26035a6dbfc4e86ecc7728c8e3
SHA1 hash: 28a1a56d03bba60df0da5151c854759b477c40ad
MD5 hash: 4274297082755d98b9d07fad46dd9f33
humanhash: juliet-magazine-two-nineteen
File name:sososos.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'174'528 bytes
First seen:2020-08-10 09:28:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ce9dc34dcdc6dcac1abc92d3ec049de7 (11 x AgentTesla, 4 x MassLogger, 2 x FormBook)
ssdeep 24576:P4UOaeCWal93GVRL+2EslPikoe5e44uo88Toq:PnWM9kRLhvBorvsq
Threatray 2'081 similar samples on MalwareBazaar
TLSH 2245D026A1E04833C366D63F9C0B7667A826BE513A2859492BE45C4C4F397F53C253BF
Reporter abuse_ch
Tags:DHL exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: lnx01.dizaynplus.com
Sending IP: 176.53.68.170
From: DHL Express Shipment Notificationi <hkeximsh@netvigator.com>
Reply-To: hkeximsh@netvigator.com
Subject: DHL Shipment Notice of Arrival: AWB 98-2340799
Attachment: DHL Shipment Notice of Arrival AWB 98-2340799.rar (contains "sososos.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42601/
Detection(s):
SecuriteInfo.com.BScope.Adware.Kraddare.1524.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file
Unauthorized injection to a system process
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/416641
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260711 Sample: sososos.exe Startdate: 10/08/2020 Architecture: WINDOWS Score: 100 41 Yara detected MassLogger RAT 2->41 43 Sigma detected: Drops script at startup location 2->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->45 47 Yara detected Costura Assembly Loader 2->47 9 sososos.exe 2->9         started        12 wscript.exe 1 2->12         started        process3 signatures4 51 Detected unpacking (changes PE section rights) 9->51 53 Detected unpacking (creates a PE file in dynamic memory) 9->53 55 Detected unpacking (overwrites its own PE header) 9->55 57 7 other signatures 9->57 14 notepad.exe 1 9->14         started        17 sososos.exe 3 9->17         started        19 sososos.exe 12->19         started        process5 signatures6 59 Drops VBS files to the startup folder 14->59 61 Delayed program exit found 14->61 21 cmd.exe 1 17->21         started        63 Writes to foreign memory regions 19->63 65 Allocates memory in foreign processes 19->65 67 Maps a DLL or memory area into another process 19->67 23 sososos.exe 2 19->23         started        25 notepad.exe 1 19->25         started        process7 file8 28 powershell.exe 19 21->28         started        30 conhost.exe 21->30         started        32 cmd.exe 1 23->32         started        39 C:\Users\user\AppData\...\sososososos.vbs, ASCII 25->39 dropped process9 process10 34 powershell.exe 16 32->34         started        37 conhost.exe 32->37         started        signatures11 49 Deletes itself after installation 34->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 08:50:53 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nt2fj3aislqdm42wvztu5e3bf4ochwojtb2nr73547lxavol7hda._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0e8c4ea04759257bb250d60f1a3b1988888044fd06ce2f9fccef81b047eee4bc
MassLogger
0fd0591e79669d6016acff95109efd434cc39498d83f4ebdaac67c96091e4fa9
MassLogger
1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769
MassLogger
3d0af7312beff6b913ae04b6c6b3f9aac323308a1933952d1c8bd732fdf290ce
MassLogger
3fd662d7caf82ecc8b61b4fa261bc51510851aa36099a85f66c2689c507e11d7
MassLogger
4c8728146976e30a09321d1e158aeeb46908c54fa8614ccef7fbc9761956eca4
MassLogger
6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b
MassLogger
84742df4cd63ab373d601a9f4900b1b55f41ea5f48d93eaebb68b9fd4bf8235a
MassLogger
b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31
MassLogger
c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9
MassLogger
+ 2'071 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware upx stealer spyware family:masslogger
Link:
https://tria.ge/reports/200810-mwj173sv22/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Drops startup file
UPX packed file
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 95194602842b66bfa515dc2b260b09e45b7024334d5a07bd4ffeb3079d4e6348

MassLogger

Executable exe 6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6

(this sample)

  
Dropped by
MD5 08bba702616f5f4dfcf269a88ba74634
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42601/
  
Dropped by
SHA256 95194602842b66bfa515dc2b260b09e45b7024334d5a07bd4ffeb3079d4e6348

Comments