MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9571c8778f8fbce9e3bda5437cbcc7d7a6623d7ae13b7a3ec127c2ab6e7f4ca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9571c8778f8fbce9e3bda5437cbcc7d7a6623d7ae13b7a3ec127c2ab6e7f4ca4
SHA3-384 hash: 146b07d58613b11f04e29dc2e4289fffd1bcdd92fd894524bce106a86c55e4641759e512fb396224235517affdf24ec9
SHA1 hash: 5f5f8fa488ac35e6768d9f21aec864b57d49ca41
MD5 hash: 797fed2242d4bfe9fcf7785999572866
humanhash: autumn-item-butter-lamp
File name:RFQ & SAMPLES PRODUCTS 9-1009-GRGS 403.2MT STR20.pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:88'064 bytes
First seen:2020-10-27 10:24:44 UTC
Last seen:2020-10-27 12:15:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:9k0mGw6LU6rBMc7TVgJFVmT3JKV9+J05fY7oDNz8ksUxoNIB8t+pM:9k0mwMc7TVgJLVMiu7oDNz8ksUomBZ
Threatray 400 similar samples on MalwareBazaar
TLSH 9183DB123147CCA5EE7006782EC740B882F37D6A1D11EAE16EF0A9E5BF95D05079B98F
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: mail.h-email.net
Sending IP: 31.168.40.90
From: 'Jamey Machathil'<jamey@a1jays.com>
Subject: A1JAYS RFQ- NEW ORDER
Attachment: RFQ STR20- A1JAYS.zip (contains "RFQ & SAMPLES PRODUCTS 9-1009-GRGS 403.2MT STR20.pdf.exe")

MasssLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Dtloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79809/
Detection(s):
SecuriteInfo.com.Artemis797FED2242D4.9480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Sending a UDP request
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513307
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305784 Sample: RFQ & SAMPLES PRODUCTS 9-10... Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 53 www.google.it 2->53 55 nagano-19599.herokussl.com 2->55 57 2 other IPs or domains 2->57 81 Antivirus detection for dropped file 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 13 other signatures 2->87 8 RFQ & SAMPLES PRODUCTS 9-1009-GRGS 403.2MT STR20.pdf.exe 18 4 2->8         started        13 RFQ & SAMPLES PRODUCTS 9-1009-GRGS 403.2MT STR20.pdf.exe 2->13         started        15 RFQ & SAMPLES PRODUCTS 9-1009-GRGS 403.2MT STR20.pdf.exe 2 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 73 www.google.it 172.217.168.67 GOOGLEUS United States 8->73 75 ahgwqrq.xyz 104.27.181.69, 443, 49730, 49746 CLOUDFLARENETUS United States 8->75 51 RFQ & SAMPLES PROD...3.2MT STR20.pdf.exe, PE32 8->51 dropped 95 Creates an undocumented autostart registry key 8->95 97 Creates autostart registry keys with suspicious names 8->97 99 Creates multiple autostart registry keys 8->99 19 RegSvcs.exe 14 2 8->19         started        23 RegSvcs.exe 8->23         started        25 timeout.exe 1 8->25         started        27 WerFault.exe 23 9 8->27         started        101 Writes to foreign memory regions 13->101 103 Hides threads from debuggers 13->103 105 Injects a PE file into a foreign processes 13->105 29 RegSvcs.exe 13->29         started        33 2 other processes 13->33 77 172.67.142.40, 443, 49743 CLOUDFLARENETUS United States 15->77 79 192.168.2.1 unknown unknown 15->79 31 RegSvcs.exe 15->31         started        35 2 other processes 15->35 37 3 other processes 17->37 file6 signatures7 process8 dnsIp9 59 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.126.66, 49744, 80 AMAZON-AESUS United States 19->59 61 nagano-19599.herokussl.com 19->61 63 api.ipify.org 19->63 89 Tries to steal Mail credentials (via file access) 19->89 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->91 39 conhost.exe 25->39         started        65 54.225.169.28, 49756, 80 AMAZON-AESUS United States 29->65 69 2 other IPs or domains 29->69 93 Tries to harvest and steal browser information (history, passwords, etc) 29->93 67 54.235.83.248, 49773, 49780, 80 AMAZON-AESUS United States 31->67 71 2 other IPs or domains 31->71 41 conhost.exe 33->41         started        43 conhost.exe 35->43         started        45 conhost.exe 37->45         started        47 conhost.exe 37->47         started        49 conhost.exe 37->49         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9571c8778f8fbce9e3bda5437cbcc7d7a6623d7ae13b7a3ec127c2ab6e7f4ca4/
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 04:03:27 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=svy4q54pr66oty55uvbxzpgh26tgepl24e5xupwbe7bkw3t7jssa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
263fefe63ffef92b66516f9de917b4af09783ef5e3b6ba93b030d91c624c7925
MassLogger
553ad8c805d4151e154177bb4fbb1678711306d8eefba081ec36bf0518d4e88f
MassLogger
6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95
MassLogger
610ed2ab81dda401cd838073f80b2d217c2a5bb8f6b35b32c6d71ed67ea4483b
MassLogger
6bcaa05bb24f934bc0b68c8475610a3a0c1877e279ab50d9fe75144cb369fd1e
MassLogger
8e351736ae4bff938f1b59b396f039a6a281c4b8401f918f6b7b52b5c574d330
MassLogger
b234b123cd33ace5b6434059665f92851e0637017abf1d5d1e009660d1c2e9d9
MassLogger
b3f2d07e97cfe28deee3a65b8541c48f96f022b52db515b06c635f3b9fcc35ef
MassLogger
c0c4c97332bfb8b5254c089e82c05d0a7d171747b72f991f7e3bdb2ed74856d0
MassLogger
f23b9e7560ded009508ff2a4dd75507d7bf087ad69c47fc5320af052d95fa814
MassLogger
+ 390 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
persistence spyware stealer family:masslogger
Link:
https://tria.ge/reports/201027-yh6kv4afya/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip edc03828f494523e020dd6073d93ef49fdf2e66afb2c4bc25df442da8fd3d3dd

MassLogger

Executable exe 9571c8778f8fbce9e3bda5437cbcc7d7a6623d7ae13b7a3ec127c2ab6e7f4ca4

(this sample)

  
Dropped by
MD5 3282a94d66745020402bfb7d22f9f67e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 edc03828f494523e020dd6073d93ef49fdf2e66afb2c4bc25df442da8fd3d3dd
Cape
Cape
https://www.capesandbox.com/analysis/79809/

Comments