MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 812cab79f178c577ea0fa8541ef9d34cb7688277c55b96f5e61c91c8da4bccfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 812cab79f178c577ea0fa8541ef9d34cb7688277c55b96f5e61c91c8da4bccfc
SHA3-384 hash: bcabe3f4e67323cc2de4880191d0522ed6bf639e5123b67743f53e107919ad1ff7b792cf9fb62d41dde876a1c2df74c9
SHA1 hash: 2334eefaf896a256fc3fae430a725ef0cbd52611
MD5 hash: ed377b213ce1e0ba4a69c155d5273af9
humanhash: fillet-idaho-sweet-alanine
File name:Inquiry_pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:430'592 bytes
First seen:2020-11-26 06:52:01 UTC
Last seen:2020-11-27 14:05:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:kg53WYHK0VemlowJVAIMcJiw0JjMK5lP64kwMztGG:vbHlgmJ2IMAiBCyP64X8GG
Threatray 117 similar samples on MalwareBazaar
TLSH 139423AD3F22D922C3159235C5D1A630473BEA8F7963EB1678D1638A7C237C53A46B34
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.dnetishy.com
Sending IP: 45.85.90.147
From: MONJO MANFACTURING<office@dnetishy.com>
Subject: First/ Urgent Inquiry
Attachment: Inquiry_pdf.gz (contains "Inquiry_pdf.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/547809
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323007 Sample: Inquiry_pdf.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 88 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->50 52 5 other signatures 2->52 7 Inquiry_pdf.exe 16 5 2->7         started        12 firefos.exe 2 2->12         started        14 firefos.exe 14 2 2->14         started        process3 dnsIp4 32 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.42.25, 49718, 49747, 80 AMAZON-AESUS United States 7->32 34 nagano-19599.herokussl.com 7->34 36 api.ipify.org 7->36 28 C:\Users\user\AppData\Roaming\...\firefos.exe, PE32 7->28 dropped 30 C:\Users\user\...\firefos.exe:Zone.Identifier, ASCII 7->30 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->54 56 Tries to steal Mail credentials (via file access) 7->56 58 Adds a directory exclusion to Windows Defender 7->58 16 powershell.exe 26 7->16         started        38 54.204.14.42, 49749, 80 AMAZON-AESUS United States 12->38 44 2 other IPs or domains 12->44 60 Tries to harvest and steal browser information (history, passwords, etc) 12->60 18 powershell.exe 12->18         started        40 nagano-19599.herokussl.com 14->40 42 api.ipify.org 14->42 20 powershell.exe 14->20         started        file5 signatures6 process7 process8 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/812cab79f178c577ea0fa8541ef9d34cb7688277c55b96f5e61c91c8da4bccfc/
Threat name:
ByteCode-MSIL.Spyware.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 01:47:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qewkw6prpdcxp2qpvbkb56otjs3wratxyvnzn5pgdsi4rwslzt6a._file
Verdict:
malicious
Similar samples:
06801bb55190871266ca5846aaf7932d1f41813536403f7367c10dbbe3218632
MassLogger
12e2fade9c6f17595717385e99c97a448e87bbbb6a7a30ea2c31062983f4c065
MassLogger
1e003aa6499e75fcb47a0288d1e43b523b13b394bb8b692eae0b314a124d6f26
MassLogger
2b0246f1de2f4e3943cf158feac18ace5a46c21ce8ed37b6efcc12114a44329e
MassLogger
546b14e45dad5ac436d7c928dc8e325082eacf2bd329a6f21648f37a37fe507d
MassLogger
59a680dd944269f001e9cd0c64baf199ca8fb8673caa18e7faf9cddc6562861e
MassLogger
7c5159e4f3a2f206d7eac9a4d6fec1ff16e0bc85b1d2879757383709c297ae1b
MassLogger
8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3
MassLogger
b2e5c043068bc3ec4be61c4884722589649aceef5adfb5c3a0e84a4172554e1c
MassLogger
e95d8b2d7c80f9b47d7c3fb368256962c357404e85f45701a473b6354ca18133
MassLogger
+ 107 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201126-b3c5p7xk2e/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
0b623697c48939d94ffa6733b36801f072619216f85b86071b1493ffe249847b
MD5 hash:
1d71ccd71155d2ca40ecc203b725c02c
SHA1 hash:
b53d76b10d766dc9a35795cea21cf8b21b9ba88f
Link:
https://www.unpac.me/results/bf541ad4-236f-4e60-bc48-3b09400ae9b8/
SH256 hash:
812cab79f178c577ea0fa8541ef9d34cb7688277c55b96f5e61c91c8da4bccfc
MD5 hash:
ed377b213ce1e0ba4a69c155d5273af9
SHA1 hash:
2334eefaf896a256fc3fae430a725ef0cbd52611
Link:
https://www.unpac.me/results/bf541ad4-236f-4e60-bc48-3b09400ae9b8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz 501ffcb56843ce083779339dce8e45517abb44ada11298738d678dc6940cc6aa

MassLogger

Executable exe 812cab79f178c577ea0fa8541ef9d34cb7688277c55b96f5e61c91c8da4bccfc

(this sample)

  
Dropped by
MD5 c8a53b5007510acfe36c270c2383d32a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 501ffcb56843ce083779339dce8e45517abb44ada11298738d678dc6940cc6aa
Cape
Cape
https://www.capesandbox.com/analysis/105604/

Comments