MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9cdbfef9598908dcd196e0ecc0f4a76ab2e4a0952334c7ccfc12d74f1fd7060. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9cdbfef9598908dcd196e0ecc0f4a76ab2e4a0952334c7ccfc12d74f1fd7060
SHA3-384 hash: 3f412307cde833272aa5afcb8243c69a01cd6231b13b2742bd9ea4b5ec40e7c742df6abc8ff18289b36a0c1d5896322b
SHA1 hash: d20f79b952cd39531be2a0381ef45000688e33df
MD5 hash: 36299395a2836fc44a487331bf7efcfe
humanhash: ceiling-football-nebraska-football
File name:DHL - Air Way Bill.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:99'384 bytes
First seen:2020-10-30 13:15:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:FBgXhPGXIl+gNJpidAlxzFHsLEtMxnBHoavtemy:FUhuXIlfNHpvzFHgiaVhy
Threatray 36 similar samples on MalwareBazaar
TLSH C7A36A40D5CDC8D5EC649B3C3BA20EB54A2EB67F68E6F64E550CE033171328A3C916AD
Reporter James_inthe_box
Tags:exe MassLogger

Code Signing Certificate

Organisation:Adobe Inc.
Issuer:DigiCert EV Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jan 31 00:00:00 2019 GMT
Valid to:Feb 3 12:00:00 2021 GMT
Serial number: 06F24D9F4DB07BD7ECAD067F5EE26C29
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: F1D08D7B98504370C1D5C40DCD8D8DCEAB084E9095CEF544465C445A374A18B0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81230/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34994510.4883.31382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/516967
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 307586 Sample: DHL - Air Way Bill.exe Startdate: 30/10/2020 Architecture: WINDOWS Score: 96 23 Multi AV Scanner detection for domain / URL 2->23 25 Antivirus detection for URL or domain 2->25 27 Multi AV Scanner detection for dropped file 2->27 29 6 other signatures 2->29 7 DHL - Air Way Bill.exe 16 6 2->7         started        11 vlc.exe 2->11         started        13 vlc.exe 2->13         started        process3 dnsIp4 21 185.172.110.244, 49732, 80 BLADESERVERSNL Netherlands 7->21 19 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->19 dropped 15 powershell.exe 19 7->15         started        file5 process6 process7 17 conhost.exe 15->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9cdbfef9598908dcd196e0ecc0f4a76ab2e4a0952334c7ccfc12d74f1fd7060/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 23:30:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhg3734vtcii3tiznyhmyd2ko2vs4sqjkizuy7gpyewxj4p5obqa._file
Verdict:
suspicious
Similar samples:
188937c949c23138157a707a06cca97dda5f3adc3b6f98bd07088a321d5220a5
MassLogger
3005d49fd313fedcf242a6ba2c6ffc962ce86469fe1bce77f775e64457f7ea33
MassLogger
36e711a66774ed0b6457f8d442315a4d1b5d06781a8ab1254abda5ba824bb816
MassLogger
5b832740ae1f2a5c2c10e37aadd6d0b74d647a9ff853f091a2262ef0ae2c672c
MassLogger
6c7db3cbcde67820238124f2e18f872ead9184460bcfb2ab23c292f5ade625e2
MassLogger
c9c5b4b76ac69632d5f5931198adb5d21d214c72d8524ffc60d7d6bbcd44cf03
MassLogger
cfda81fea66e56fe0f6a8eed267b836f31c7c3f1d7ecdf08fb0c13f8203e7dcb
MassLogger
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
MassLogger
e9f6a306988f2ef722e09399f0473f0d8623b23da0de1bb32e58e91d21a356e3
MassLogger
f132a49b6940edaa008fdf3b73fb80ffec67e83ff8ffd8eec657386fda9c48a5
MassLogger
+ 26 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201030-e9plkw7lse/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
MassLogger
MassLogger Main Payload
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/81230/

Comments