MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81294a847822a4b2b75133370a6b627d8fd2db2470767608522c4229ffa88133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	81294a847822a4b2b75133370a6b627d8fd2db2470767608522c4229ffa88133
SHA3-384 hash:	e57e841b407abf362c292aec37f7ef7e7dc51ba703700ea92549099365bced42ae7776560302fc41fb6a680e02e3ac34
SHA1 hash:	6f1a556ed1207733670dc49679c32dc726c84e1b
MD5 hash:	88a058ae596480716d3e24bc0a6e8b30
humanhash:	colorado-nineteen-ten-virginia
File name:	August Order2020.PDF.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	875'008 bytes
First seen:	2020-08-19 11:51:41 UTC
Last seen:	2020-08-19 12:45:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:Bsvu1dTKWbFw1C1i9DiCf2OgK5aJnh3AoAC5KC48GDS3Oj75gxZTEC5CUZbNONwG:+vuHGLhL5aJh3HA0dZuS3Pf2UNxNl
Threatray	535 similar samples on MalwareBazaar
TLSH	DE1501587514E29FC75A8C36EC54FCF843905DB3EE0AF2039D13BDDA7A3EA958A00466
Reporter	abuse_ch
Tags:	exe MassLogger SendGrid

abuse_ch

Malspam distributing unidentified malware:

HELO: wrqvqntk.outbound-mail.sendgrid.net
Sending IP: 149.72.66.113
From: Jessica <order@em9914.jcwholesale.co.uk>
Reply-To: <info@industralmail.com>
Subject: August Order
Attachment: August Order2020.PDF.zip (contains "August Order2020.PDF.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

82

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48476/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.405.6749.24693.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/437811

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/81294a847822a4b2b75133370a6b627d8fd2db2470767608522c4229ffa88133/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-18 13:32:06 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qeuuvbdyekslfn2rgm3qu23cpwh5fwzeob3hmccsfrbct75iqezq._file

Verdict:

unknown

Similar samples:

45eac93db3a0554afa555fdfced45c8bd9d5c973d05f3e4b40219be984dd0d28

4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea

5bcbbf82aa7c1bde8cddd6a6d50b4b082555ddb0dd23dd468ef238850238ed2a

987e0b5d35a989d7eff88f7aed06a643e18d500266871e9e1cb901ed8f3d484a

a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

a72fad6bdee764f3157dd34661dc5d1938e230d6f7a04f92c9f84188ad837553

b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31

c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9

df68e151234024e309edd6285be6afa2ac21b30fa660f3aefe4417b17ab27400

f1ce8a3c72d7e45300b38de923c0ad45c466ef17a44bec4aad85a4672690eb22

+ 525 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware stealer spyware family:masslogger

Link:

https://tria.ge/reports/200819-cc9vq7vz9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/81294a847822a4b2b75133370a6b627d8fd2db2470767608522c4229ffa88133

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 2cac115d43ee23581e2b341477ea8cd2c7ab7ffddbbf1e93831dd147bcd3e201

exe 81294a847822a4b2b75133370a6b627d8fd2db2470767608522c4229ffa88133

(this sample)

Dropped by

MD5 c11dd54efd734b726a7e8335a94b0513

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/48476/

Dropped by

SHA256 2cac115d43ee23581e2b341477ea8cd2c7ab7ffddbbf1e93831dd147bcd3e201

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample