MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43
SHA3-384 hash: fd4e49527142aeb449f1cca56059be2d8c39b7ba6bd1b81c0abef991403a81c8a54ff651595386117f36d9060a11a75c
SHA1 hash: 39adba5bb7a9585d50993a6264f05aecafcd0a92
MD5 hash: 5a82e2c1d04b28f1d1c7861b231ccfce
humanhash: grey-cardinal-california-hotel
File name:Order Inquiry List.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'199'104 bytes
First seen:2020-08-30 05:56:23 UTC
Last seen:2020-08-30 07:19:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:KdYoa7LkdhGDCQx9ZtEnY2za9LWxUMmSg+R3soXJ6b:nkdyA0MCSg+R3X56
Threatray 542 similar samples on MalwareBazaar
TLSH 7545F127070D9B1DD828B7BD3891018CE3F1A741EF35F0CCED5B51F9694568EA6AB282
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hkt2.dns.com.cn
Sending IP: 182.61.174.182
From: sales@xm-echo.com
Subject: Price Inquiry
Attachment: Order Inquiry List.zip (contains "Order Inquiry List.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53007/
Detection(s):
SecuriteInfo.com.Generic.mg.5a82e2c1d04b28f1.16290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/454386
Signature
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279565 Sample: Order Inquiry List.exe Startdate: 30/08/2020 Architecture: WINDOWS Score: 92 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected MassLogger RAT 2->27 29 Yara detected AntiVM_3 2->29 31 5 other signatures 2->31 8 Order Inquiry List.exe 3 2->8         started        process3 file4 21 C:\Users\user\...\Order Inquiry List.exe.log, ASCII 8->21 dropped 33 Injects a PE file into a foreign processes 8->33 12 Order Inquiry List.exe 2 8->12         started        signatures5 process6 process7 14 cmd.exe 1 12->14         started        process8 16 powershell.exe 17 14->16         started        19 conhost.exe 14->19         started        signatures9 23 Deletes itself after installation 16->23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-08-30 00:37:56 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7w4svmpihzg22yvq3fc72srqyngpxqxuuhzjfajabycqxq7brbq._file
Verdict:
suspicious
Similar samples:
26f2d26b01147113e1767023ecad609c6b466ce8ede36831362974f808b5f16e
MassLogger
2793ca2b4f702f2ddfcaeb0ccde6700da8b215b9894cf72adbece6a4d57a8e67
MassLogger
2a1b3187f7000dfb10dff758fe598e73e58d6864c5a4579e7c35acd88314ca20
MassLogger
2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce
MassLogger
4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea
MassLogger
7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78
MassLogger
8fc4747ee4e9b358ddd1dffff19b0b3f5166e8b4ef15257be68d3fa2decb347e
MassLogger
9bd0b49f2258798d9ee1a8a766bf3fff7527ca463d24f35b27081879cf937890
MassLogger
b6cc6aed76d1b7e069209d41f75b0275cd99154d75672214c039d8bc0e2eae98
MassLogger
e33ecba374a7d34a6c237fde198844930a82c27199c76f49bc0558e0caf1f4a4
MassLogger
+ 532 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200830-eztbbk6efn/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 02d1bdc78c4558d0b4c573056b3828e82bc4b008832b29a43c66817459fe4bcc

MassLogger

Executable exe 77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43

(this sample)

  
Dropped by
MD5 a6db52b2abbce173ce7795cea8627eb2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53007/
  
Dropped by
SHA256 02d1bdc78c4558d0b4c573056b3828e82bc4b008832b29a43c66817459fe4bcc

Comments