MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72e7cc356ae54233b8d85e2850edd6d998f60e3521e1b58d64281835529d43dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72e7cc356ae54233b8d85e2850edd6d998f60e3521e1b58d64281835529d43dc
SHA3-384 hash: a365b5daead6fa796ddddf2436216fc485e3673573be4719c4180cb5e5588621b3bee7d4061eb9c9ad77748620dea013
SHA1 hash: c967c2a0e95b123f25a982d5e9ec3c5f8887a53f
MD5 hash: bd7333d30ecf378ee0cd47ed08249b3f
humanhash: montana-one-pasta-delaware
File name:INV-ORDER8838934.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'773'960 bytes
First seen:2020-10-19 10:46:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:DpnVXgUrz1FLqg/Rkf+MrmgvGSa7pwNeD9NO84wG:9n5gUZ85XGjwohE84v
Threatray 157 similar samples on MalwareBazaar
TLSH 4F85A22039BA905DF173AF768ED475A6DA2BF7733606945D209283070913E83DFCA53A
Reporter abuse_ch
Tags:exe MassLogger

Code Signing Certificate

Organisation:GlobalSign Timestamping CA - G2
Issuer:GlobalSign Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Apr 13 10:00:00 2011 GMT
Valid to:Jan 28 12:00:00 2028 GMT
Serial number: 0400000000012F4EE152D7
Intelligence: 12 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: C977923C771E1A66C925A2B6F501732E678DC9887AFE6BFAAC039D1D9A71F0EC
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: my.dataparadise.in
Sending IP: 208.187.163.109
From: bhavesh@grainsplusimportexport.com
Subject: Re: PROFORM INVOICE
Attachment: INV-ORDER8838934.bz (contains "INV-ORDER8838934.exe")

MassLogger SMTP exfil server:
mail.digitalprint.hr:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495282
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 300098 Sample: INV-ORDER8838934.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 38 nagano-19599.herokussl.com 2->38 40 elb097307-934924932.us-east-1.elb.amazonaws.com 2->40 42 api.ipify.org 2->42 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected MassLogger RAT 2->56 58 6 other signatures 2->58 8 INV-ORDER8838934.exe 15 8 2->8         started        13 zohomake.exe 2->13         started        signatures3 process4 dnsIp5 44 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.169.38, 49730, 80 AMAZON-AESUS United States 8->44 46 nagano-19599.herokussl.com 8->46 48 api.ipify.org 8->48 34 C:\Users\user\AppData\...\zohomake.exe, PE32 8->34 dropped 36 C:\Users\user\...\INV-ORDER8838934.exe.log, ASCII 8->36 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->60 62 Adds a directory exclusion to Windows Defender 8->62 15 cmd.exe 1 8->15         started        18 cmd.exe 1 8->18         started        20 powershell.exe 23 8->20         started        64 Multi AV Scanner detection for dropped file 13->64 file6 signatures7 process8 dnsIp9 50 192.168.2.1 unknown unknown 15->50 22 zohomake.exe 15->22         started        24 conhost.exe 15->24         started        26 timeout.exe 1 15->26         started        28 conhost.exe 18->28         started        30 schtasks.exe 1 18->30         started        32 conhost.exe 20->32         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72e7cc356ae54233b8d85e2850edd6d998f60e3521e1b58d64281835529d43dc/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 06:52:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=olt4ynlk4vbdhogylyufb3ow3gmpmdrvehq3ldlefamdkuu5ipoa._file
Verdict:
suspicious
Similar samples:
0290b4bba5483f6c9865c8b2a1df7e0756a6d5ade4a2dc5ced0a380a9988d35c
MassLogger
1e9ff9549343dcb17dcb137508657a94e5503579e0e0741443b27c732b62fa5c
MassLogger
1f6ec588edbf2a5b1796f89ad775229cad1066bc93607baa8993a19323be34e8
MassLogger
7490493c29c4dd5b704a2ab854310b61b246d25b585c6a9f08232bd6bc221a98
MassLogger
8f9f89be357d1d17b6281bf9f6caebfa97fdbfcb6aec50e4aa147d0e24e909e7
MassLogger
92715192ee868e9d408f9449893688c609bb81fb522f9af00f9cf8caeaf098a2
MassLogger
a14dc3eb54f3876b3a2bfc6e0aa105c832fc5424130c43248995cceda6790133
MassLogger
c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75
MassLogger
e7f93c2a012002bd558069f5d5d7b20ee1df9ecade97d85f6edd9e0b66be0623
MassLogger
f4c25b70ae9ea0c7f4a7f028011167b7154ded11a0b8e90b1c7570ba9af1f2f2
MassLogger
+ 147 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201019-l6cnxrglm2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
72e7cc356ae54233b8d85e2850edd6d998f60e3521e1b58d64281835529d43dc
MD5 hash:
bd7333d30ecf378ee0cd47ed08249b3f
SHA1 hash:
c967c2a0e95b123f25a982d5e9ec3c5f8887a53f
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/c1a4000c-ad8c-4319-ae40-ea0f76cfdad9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72e7cc356ae54233b8d85e2850edd6d998f60e3521e1b58d64281835529d43dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar f91ec02d8a1cde07c766b818acc5c779303e72babd33f9daafd058c5f9ab15ff

MassLogger

Executable exe 72e7cc356ae54233b8d85e2850edd6d998f60e3521e1b58d64281835529d43dc

(this sample)

  
Dropped by
MD5 e913b04e04e8686241564e83f10be46e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72909/
  
Dropped by
SHA256 f91ec02d8a1cde07c766b818acc5c779303e72babd33f9daafd058c5f9ab15ff

Comments