MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84742df4cd63ab373d601a9f4900b1b55f41ea5f48d93eaebb68b9fd4bf8235a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	84742df4cd63ab373d601a9f4900b1b55f41ea5f48d93eaebb68b9fd4bf8235a
SHA3-384 hash:	c223bc77c86a1561207b43925cd2ad7fa4939797578b532d1cf0526fc03e9bb4587245842e8a78d31289ccd80dd0e39e
SHA1 hash:	62744c5f68de9e34e2a46eb82fa44ca61b3edb04
MD5 hash:	d0b1268b6d2c57344550cb717497256d
humanhash:	bulldog-muppet-oxygen-high
File name:	NEFTSBIN220227540696.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'221'120 bytes
First seen:	2020-08-17 19:03:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	639357242ed279ceaa4726408d2cc6d5 (10 x AgentTesla, 4 x Formbook, 3 x MassLogger)
ssdeep	24576:MF7OuHzkK4d7403c8UnhoEdpQnY2CyaaF1WP6TYZAOohq:MFy+f8nc8UnFdpQuN6Ook
Threatray	537 similar samples on MalwareBazaar
TLSH	E045C023E1E14837D1B32A7C9C1F72A898FABD103AF899477BE41C089F396513565E87
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: indusind.com
Sending IP: 185.222.57.136
From: IndusInd Bank <IndusInd_Bank@indusind.com>
Subject: IndusInd Bank Transaction Alert
Attachment: NEFTSBIN220227540696.gz (contains "NEFTSBIN220227540696.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/47311/

Detection(s):

SecuriteInfo.com.BScope.Trojan.Crypt.5088.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Running batch commands

Creating a file

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/434702

Signature

Contains functionality to detect sleep reduction / modifications

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Maps a DLL or memory area into another process

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84742df4cd63ab373d601a9f4900b1b55f41ea5f48d93eaebb68b9fd4bf8235a/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-17 10:50:42 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qr2c35gnmovtopladkpusafrwvpud2s7jdmt5lv3nc472s7yenna._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

MassLogger

1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769

MassLogger

3fd662d7caf82ecc8b61b4fa261bc51510851aa36099a85f66c2689c507e11d7

MassLogger

4c8728146976e30a09321d1e158aeeb46908c54fa8614ccef7fbc9761956eca4

MassLogger

5bcbbf82aa7c1bde8cddd6a6d50b4b082555ddb0dd23dd468ef238850238ed2a

MassLogger

6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6

MassLogger

a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7

MassLogger

b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31

MassLogger

c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9

MassLogger

ebcea3b90af00f67983ebb15abec7e46a480818904a74764aab402da08d7b16b

MassLogger

+ 527 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware upx spyware stealer family:masslogger

Link:

https://tria.ge/reports/200817-rn175thmp6/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Deletes itself

Reads user/profile data of web browsers

UPX packed file

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/84742df4cd63ab373d601a9f4900b1b55f41ea5f48d93eaebb68b9fd4bf8235a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz 04a2cc2016d24c4e1f3645a6dd285449c78185f192781b59c7f23696bd5dc7e7

MassLogger

exe 84742df4cd63ab373d601a9f4900b1b55f41ea5f48d93eaebb68b9fd4bf8235a

(this sample)

Dropped by

MD5 979c0ac57d6319ca30ea26ce6424fe1d

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 04a2cc2016d24c4e1f3645a6dd285449c78185f192781b59c7f23696bd5dc7e7

Cape

https://www.capesandbox.com/analysis/47311/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample