MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75c275e5cf07f4932978afa90c68dbd7a4fe9b12e6002e3e933f99156b137181. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75c275e5cf07f4932978afa90c68dbd7a4fe9b12e6002e3e933f99156b137181
SHA3-384 hash: be9ebd82d53b33327de833424b7d15748ac846042a5884a54eff94423d84d2439162855f1ef21320d5477139429e242d
SHA1 hash: ef0698ee923e5a59e14e242f69a91317de80fd09
MD5 hash: df476cc9e14ef1739c9480a16fdcd917
humanhash: mexico-enemy-charlie-oscar
File name:scan7689435.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'115'136 bytes
First seen:2020-08-11 10:00:18 UTC
Last seen:2020-08-11 10:39:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:+paDQAbLPV9MhGGEFmU9yvhikbhlI40z1KTbUq3:yCpMhREB9yhiKjt0
Threatray 701 similar samples on MalwareBazaar
TLSH 6335CFAC325876DEC597CD368A6C2C50AA217C675B1FC60BA017319D9A3DBD78F102B3
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: diyarbakiroto.com.tr
Sending IP: 37.49.224.67
From: MEHMET KORKMAZ <sadin@diyarbakiroto.com.tr>
Subject: Confirmation Of Bank Data
Attachment: scan7689435.r00 (contains "scan7689435.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43235/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.3527.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/418346
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 261455 Sample: scan7689435.exe Startdate: 11/08/2020 Architecture: WINDOWS Score: 92 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 Yara detected MassLogger RAT 2->37 39 Machine Learning detection for sample 2->39 41 4 other signatures 2->41 8 scan7689435.exe 5 2->8         started        process3 file4 27 C:\Users\user\AppData\...\UuwUAinFvrI.exe, PE32 8->27 dropped 29 C:\Users\...\UuwUAinFvrI.exe:Zone.Identifier, ASCII 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmp9440.tmp, XML 8->31 dropped 33 C:\Users\user\AppData\...\scan7689435.exe.log, ASCII 8->33 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->45 47 Injects a PE file into a foreign processes 8->47 49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->49 12 scan7689435.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        16 scan7689435.exe 8->16         started        signatures5 process6 process7 18 cmd.exe 1 12->18         started        20 conhost.exe 14->20         started        process8 22 powershell.exe 17 18->22         started        25 conhost.exe 18->25         started        signatures9 43 Deletes itself after installation 22->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75c275e5cf07f4932978afa90c68dbd7a4fe9b12e6002e3e933f99156b137181/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 10:02:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oxbhlzopa72jgklyv6uqy2g326sp5gys4yac4puth6mrk2ytogaq._file
Verdict:
unknown
Similar samples:
2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043
MassLogger
878e1a1b65cc05eb728bf4ce85b7ad87576bbc9c8465d1348c71cef4e8c098f2
MassLogger
9b8c523e9a551600cec0e653e4c8085dcf1b4a7e77559a903e64e7f1aa659223
MassLogger
9d12d73cdddda4b11bbfa38b1bc056e20063a75f38decb5e8af5e6a30c078673
MassLogger
a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7
MassLogger
b2169a0b14394b89cad7d3d4092b1a3e940c4504f9e7d982ebbcfd0b8c603530
MassLogger
b99de03440f57a55e0c9a269df9d79ff2214eb859361d217f76fa86579fd82df
MassLogger
c3678d87151b21e6a29ded035522c1c22950f97787e45b3df2dba52a4e688c97
MassLogger
cf9aa52cd8829760f779772b7b483ff039100b5d6311c85f969553b6ce66d58b
MassLogger
f4bf32943d6b14bf9e025c20f0fb7342982c025ba64b151687a99202091bf2eb
MassLogger
+ 691 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/200811-2ff65pp49e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Maps connected drives based on registry
Checks BIOS information in registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75c275e5cf07f4932978afa90c68dbd7a4fe9b12e6002e3e933f99156b137181

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c494092f69c7639e0f2ee25f5c5266e3

MassLogger

Executable exe 75c275e5cf07f4932978afa90c68dbd7a4fe9b12e6002e3e933f99156b137181

(this sample)

  
Dropped by
MD5 c494092f69c7639e0f2ee25f5c5266e3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/43235/

Comments