MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 845843a97512af3f6c1de5399010118465145957916aade4dc299fc317e13858. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
MassLogger
Vendor detections: 9
| SHA256 hash: | 845843a97512af3f6c1de5399010118465145957916aade4dc299fc317e13858 |
|---|---|
| SHA3-384 hash: | e4b326654e6cb4f2fd2fb00a3a40920ddf61d666288fc7d9c7baba36c4102cbea7d50d12c0e36e9cd79a88678b6bf740 |
| SHA1 hash: | 0ce3640c153f160cec503b0aa8f7666ba9e266de |
| MD5 hash: | 1a43f6c0caa53e119394d009e9719d7d |
| humanhash: | september-red-sodium-enemy |
| File name: | Purchase Order_pdf.exe |
| Download: | download sample |
| Signature | MassLogger |
| File size: | 909'312 bytes |
| First seen: | 2020-10-16 10:35:23 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 24576:ROYpP3mBjidzlgqOZUR/VO7/DZ0RaClY2:AAP2BGVOeVs7KzlY2 |
| Threatray | 349 similar samples on MalwareBazaar |
| TLSH | 2415022537A4DF65E23DA77A20B5009017F4B596E716DB0E3EA513CC2962F801F73B2A |
| Reporter |  abuse_ch |
| Tags: | exe MassLogger |
abuse_ch
Malspam distributing MassLogger:HELO: mail0.goregan.cf
Sending IP: 128.199.47.113
From: Grace<argo0001@ms18.hinet.net>
Subject: ORDER PICTURES
Attachment: Purchase Order_pdf.gz (contains "Purchase Order_pdf.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-10-15 12:35:48 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
masslogger
Similar samples:
+ 339 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Score:
10/10
Tags:
spyware stealer family:masslogger
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
845843a97512af3f6c1de5399010118465145957916aade4dc299fc317e13858
MD5 hash:
1a43f6c0caa53e119394d009e9719d7d
SHA1 hash:
0ce3640c153f160cec503b0aa8f7666ba9e266de
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
SH256 hash:
8be53fe940b80a8a8cbcdbe82a1577d8feff00480154300206c13fa5ab867885
MD5 hash:
9a1fdd8a404598a87a5b68a80b57e688
SHA1 hash:
4db6ef99f8b166aa0464e29615f7e11615d8353d
SH256 hash:
12f4c23c15f2052738ea23f4787b09e986ef28bd845f801e8279cb70976665f0
MD5 hash:
53549057df46af1849aab5da1398ca0a
SHA1 hash:
5d626039682932b6eb4dd14d7c23c568c95f9b52
Detections:
win_masslogger_w0
SH256 hash:
d3f93ee7952e24929074fc4283be2f2c9f40d93005b16708c0b1eca8b6cf9422
MD5 hash:
edf9ddb8e3b703a533361c03eab7c78c
SHA1 hash:
80d384b7c41a50d43de9d7aaa83c933428c3f3de
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Keylog_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Contains Keylog |
| Rule name: | masslogger_gcch |
|---|---|
| Author: | govcert_ch |
| Rule name: | Quasar_RAT_1 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Quasar RAT |
| Reference: | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
| Rule name: | win_masslogger_w0 |
|---|---|
| Author: | govcert_ch |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.