MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78
SHA3-384 hash:	033bb03b97e6df2470963ad19c3eac219210af38f551cda6dee1173a498a96f4b16f2354478a3decf782d47b0adb97de
SHA1 hash:	209c462e664c6ed80c84a611d5a8b1f7534c5b19
MD5 hash:	21a228a97e5cf4151c2d9c30b5881af4
humanhash:	mango-eighteen-early-early
File name:	Order Items For Quote.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'436'160 bytes
First seen:	2020-08-30 05:58:11 UTC
Last seen:	2020-08-30 07:19:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:QBRiL+FTEACveIj1pJDVGyxZG/hryD2dSct2gbB5na7:az8GAzTZG/RyASWb
Threatray	549 similar samples on MalwareBazaar
TLSH	6B65D0023B059B58F568773BE49A004C83F4B901FA71E35AFDEB32AD442175EB41AAD7
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: hkt2.dns.com.cn
Sending IP: 182.61.174.182
From: sales@xm-echo.com
Subject: Price Inquiry
Attachment: Order Items For Quote.zip (contains "Order Items For Quote.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53011/

Detection(s):

SecuriteInfo.com.Artemis21A228A97E5C.2890.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/454394

Signature

.NET source code contains potential unpacker

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78/

Threat name:

ByteCode-MSIL.Trojan.NanoBot

Status:

Malicious

First seen:

2020-08-29 21:35:03 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ooi7helveo5o5epjfft4clrayv2eqr2gszmq7s6g4xtlhrpcd54a._file

Verdict:

malicious

Label(s):

agenttesla

MassLogger

2a1b3187f7000dfb10dff758fe598e73e58d6864c5a4579e7c35acd88314ca20

MassLogger

2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce

MassLogger

4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea

MassLogger

77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43

MassLogger

8fc4747ee4e9b358ddd1dffff19b0b3f5166e8b4ef15257be68d3fa2decb347e

MassLogger

97a3f574869dfb82834d7481df5e280ab0944dda13ff548d5674e960493cfb8c

MassLogger

9bd0b49f2258798d9ee1a8a766bf3fff7527ca463d24f35b27081879cf937890

MassLogger

b6cc6aed76d1b7e069209d41f75b0275cd99154d75672214c039d8bc0e2eae98

MassLogger

e33ecba374a7d34a6c237fde198844930a82c27199c76f49bc0558e0caf1f4a4

MassLogger

+ 539 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200830-hq6nehbl3e/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 2f2d8602e4ce2c31c28637f0fbbde9b0b6a0afe099206acf0d368eaee55c4064

MassLogger

exe 7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78

(this sample)

Dropped by

MD5 caa44581965ac17a8b9165c1722da39b

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/53011/

Dropped by

SHA256 2f2d8602e4ce2c31c28637f0fbbde9b0b6a0afe099206acf0d368eaee55c4064

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample