MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d12d73cdddda4b11bbfa38b1bc056e20063a75f38decb5e8af5e6a30c078673. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	9d12d73cdddda4b11bbfa38b1bc056e20063a75f38decb5e8af5e6a30c078673
SHA3-384 hash:	4d860a63800b410ee72b5ce280c2df14b03de9c9c944276d0c45a4fe08f642506363f50e9c9e5a516338e99930a1b62c
SHA1 hash:	f0b6b086ae839312178d27ea01e8034cbefab227
MD5 hash:	05b38d4a44ea9242439c3143809cc1e5
humanhash:	kilo-twenty-uranus-shade
File name:	RQF.49254960 annex.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'168'896 bytes
First seen:	2020-07-29 06:26:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:JuLEJjzIkA9rcM1WBL7tUF3JG2YwFXJug+iok03LhncbtAKUMaes27WMQOJszHhe:J06jk8RVaFvxIkCLhncbHPaesjwa3u
Threatray	938 similar samples on MalwareBazaar
TLSH	51457A02A1C856DFD20A84B42C63F2B82623D8A5EB61DD775D8EF06705F12E935F346E
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: grl.com.tr
Sending IP: 156.96.118.60
From: Selim Arslan <accounts@grl.com.tr>
Reply-To: ellisfalconresources@mail.com
Subject: Re: End of July RQF.49254960 annex
Attachment: RQF.49254960 annex.r00 (contains "RQF.49254960 annex.exe")

MassLogger SMTP exfil server:
smtp.yandex.com.tr:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34220/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading Telegram data

Reading critical registry keys

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Deleting a recently created file

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/401308

Signature

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d12d73cdddda4b11bbfa38b1bc056e20063a75f38decb5e8af5e6a30c078673/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-29 06:28:10 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tujnopg53wslcg57uofrxqcw4iaghj27hdpmwxuk6xtkgdahqzzq._file

Verdict:

unknown

MassLogger

097425f924aa9cd5afeddfe3bf08e512ae2e055f04024781676389eb26a27d4f

MassLogger

28ea5f3c757973759e967f2a489b85cfad60f620156887145759443b4d673ddf

MassLogger

3dd701e877f0f802984c90bcfdcde54c35780c9afb459b2d395e6d38b2d4a503

MassLogger

6770ffec040c10ed6a13f0e654e9ac96763d3dd9c0c214ce658aa0648367216a

MassLogger

a63ac2c19153c340a54a2be27ac53722f5c5a653fd851b32931add8fe353c6c3

MassLogger

bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f

MassLogger

c7eaea6b1bb5d064d8db564ca8bb56b940a1f6fd932b75a1934704da667a29c2

MassLogger

e7198a6f6cf52e2f218e8354fbe9d3a59f7154aec99ec74d51017f7f9ff82ba1

MassLogger

ec3e3215b535bb6536ecf8df92c6580950a60dcfa406bb3f855de9aab7f6c7a1

MassLogger

+ 928 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200729-jy8m4r7db2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/9d12d73cdddda4b11bbfa38b1bc056e20063a75f38decb5e8af5e6a30c078673

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.