MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a39304a39ad9b9427b000045f7f5c60ed7790fe1a79d604ba9379bb94c0da593. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a39304a39ad9b9427b000045f7f5c60ed7790fe1a79d604ba9379bb94c0da593
SHA3-384 hash: dd7ac456bd00dbf1848c9eb3e2263d73abd931cd75e7520b879b1f51e4450465c569edea4505bc3a2236c3c47ef12535
SHA1 hash: 39b868b11fe71cc7d0bbb88f3ebb8198648808cc
MD5 hash: b9ca60bd296e8b80185f531b8fd82a8b
humanhash: dakota-white-fruit-snake
File name:DHL_January 2020 at 13M_9B7290_PDF.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:754'176 bytes
First seen:2021-01-13 20:11:21 UTC
Last seen:2021-01-13 21:59:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7da020c2fad0c59a3d5e97971484548 (3 x Formbook, 2 x AgentTesla, 2 x Loki)
ssdeep 12288:7d6/UwByn2AkJcrHMkr+2oCu72bi2m98errq5OtrKFb0Ka3LwSuW9xpzz8Q/nm7:OAnKcn+2GZHFe0EFbCLwSvSQ/m7
Threatray 816 similar samples on MalwareBazaar
TLSH EDF4125A73F2C475D4B2013562948BB7E8BABC32167480BFFBE80D2E5E705D0566429F
Reporter abuse_ch
Tags:DHL exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: setentaytres229.nsprimario.com
Sending IP: 188.93.73.229
From: DHL EXPRESS <noreply@dhl.com>
Subject: Re: DHL Notification / DHL_AWB_001179703/ETD
Attachment: DHL_January 2020 at 13M_9B7290_PDF.img (contains "DHL_January 2020 at 13M_9B7290_PDF.exe")

MassLogger SMTP exfil server:
mail.beljemi.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_January 2020 at 13M_9B7290_PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 05:25:20 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/c5e8e610-31e3-4a1a-a96d-0c5408e53300

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
MassLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111843/
Detection(s):
SecuriteInfo.com.ArtemisB9CA60BD296E.12016.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580686
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a39304a39ad9b9427b000045f7f5c60ed7790fe1a79d604ba9379bb94c0da593/
Threat name:
Win32.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 20:12:10 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uojqji423g4ue6yaabc7p5ogb3lxsd7bu6owas5jg6n3stanuwjq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
08a9b841c509bb0171f6899c3357e6b2cc47ce64e352315c4a8aaa4961ad0673
MassLogger
2598d8fe011595cd74778112ae8704ae239444808cd3dd5938f800f16d8ae1b0
MassLogger
5873eeecc609bbf368ed09b3a3d7374c3a3c5611deb407edf0758f1d9017d54d
MassLogger
5b5242b822fbc961a9b3135ed169399695ab26ee429196917b12a8d651292981
MassLogger
5df5e69f38e5fc641a089f213a2791aa1a9d9df801093a6dbd3bfb680c38884c
MassLogger
88fefe74a59525eecee004f0ca10e3b964462adc1f3b44a794282e17dd3dd67e
MassLogger
b5a3cf350d8aa4afa017d90a37e3206574774eefc57c36da525a89606d704025
MassLogger
c26fae9be09bc2ae42201aa17d14288a797ed398c1476246a41366c78961668e
MassLogger
dfcd2b701b1142718cfbeeaf21c4fcb618d8aa2482bea8821b440ed24a768a1e
MassLogger
e178d0ed3b308beca605b9b5f71fd420bb438dc2c12e37523982982d57df22a3
MassLogger
+ 806 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/210113-vep4mf82p6/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
a39304a39ad9b9427b000045f7f5c60ed7790fe1a79d604ba9379bb94c0da593
MD5 hash:
b9ca60bd296e8b80185f531b8fd82a8b
SHA1 hash:
39b868b11fe71cc7d0bbb88f3ebb8198648808cc
Link:
https://www.unpac.me/results/e30b0cad-298f-432f-8357-c52ab888b735/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a39304a39ad9b9427b000045f7f5c60ed7790fe1a79d604ba9379bb94c0da593

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

img d69ffa1fd0c833c93e631225c0a3548d85ff5e0476091dc1a37894546c70c096

MassLogger

Executable exe a39304a39ad9b9427b000045f7f5c60ed7790fe1a79d604ba9379bb94c0da593

(this sample)

  
Dropped by
MD5 fe266fec96d89096d8c6ecb098416492
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111843/
  
Dropped by
SHA256 d69ffa1fd0c833c93e631225c0a3548d85ff5e0476091dc1a37894546c70c096

Comments