MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221
SHA3-384 hash:	40d9ddb94183124cc5a38c76bf00851dbd22f776cf11905c352aa2dbc29f0f6f49f27551c850e9dc36f1ae7b31ac1418
SHA1 hash:	59a6c1698b0af6d0b2165916b7358ae6d1d2a6a5
MD5 hash:	84f9ffbac1e33efc672c4628a7644120
humanhash:	butter-floor-cola-cola
File name:	ORDER LIST TBM INFOTECH Dubai..exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	68'432 bytes
First seen:	2020-10-13 05:45:31 UTC
Last seen:	2020-10-13 07:08:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	1536:mnVtmK9IkVtQVtUVtB/VtVdtNlqPHiSkRm4Ghi3MDIpkqlU4iUfi:GSwNdtNlqPHiSSm4Ghi3MDIi4c
Threatray	304 similar samples on MalwareBazaar
TLSH	42631E1C6509C911CE68133083974C612BF199A373F28FBABADE67A11D66234DB0FE5D
Reporter	abuse_ch
Tags:	Endurance exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: 162-241-204-248.unifiedlayer.com
Sending IP: 162.241.204.248
From: TBM INFOTECH Dubai.<info@emexleathersuppies.solutions>
Subject: RFQ FROM TBM INFOTECH Dubai.
Attachment: ORDER LIST TBM INFOTECH Dubai.rar (contains "ORDER LIST TBM INFOTECH Dubai..exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.DownLoader34.65305.18926.25345.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/489169

Signature

Adds a directory exclusion to Windows Defender

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221/

Threat name:

ByteCode-MSIL.Trojan.MassLogger

Status:

Malicious

First seen:

2020-10-13 03:24:16 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rdqvpgk2n547m4f22fqr7w5gkfavfoy7e2bobw6crq7jfenyyiqq._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

2fea8f7c727460dfd943dce7f9bb051f188f37a0150a132039a1892f18749ff3

MassLogger

703698c23e6a2e0a7fa23c5868bb97bccdca0389b47b0ea33a013a959a4a83e6

MassLogger

8f24b4adb843172c14b392bcf73f1f46ac8a20091cb22649110bb937f84b281c

MassLogger

9c4a2d8473718bdb1725450b6f0567098006b9aa89fbd913acab1bab0857143d

MassLogger

a2b0e9c1ea03a3a538fe9ef7f8e6dbf4c08feba8560e238e29fce0dd2f2e144b

MassLogger

b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f

MassLogger

bc0af8fda43937d6a0d717e5be51d3f5a51a67077bc8ca85f031fa5bc08d165a

MassLogger

c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca

MassLogger

ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de

MassLogger

+ 294 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

stealer spyware family:masslogger

Link:

https://tria.ge/reports/201013-f7rk565mkn/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221

MD5 hash:

84f9ffbac1e33efc672c4628a7644120

SHA1 hash:

59a6c1698b0af6d0b2165916b7358ae6d1d2a6a5

Link:

https://www.unpac.me/results/2ef7c679-c884-4e34-8a74-47e3bbcae1e2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

MassLogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf