MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa629febbaa577cc72e7a001df96a0afc08094ea57493bbc77857d9996cd3019. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	aa629febbaa577cc72e7a001df96a0afc08094ea57493bbc77857d9996cd3019
SHA3-384 hash:	ef431c38b783d23e5c20cc938b2cb5e6105e879473d33f11098a431eb57bc7ed4f94cc9ea2925628accab1621c3e0d17
SHA1 hash:	0e67ae2e38b8809e7e3167ddfdaae73333d67c65
MD5 hash:	72b8eec23ed50a0c0d01052b34d23974
humanhash:	blue-king-oregon-indigo
File name:	PO47828110.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	931'840 bytes
First seen:	2020-08-05 12:10:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:WOwY0kIbnQiehZcxWXZjijSb8yA+kHCdUAAg8gbxRH67tRFBdr:bwbQZhZcxWU2b8SJdUnjgYjFXr
Threatray	678 similar samples on MalwareBazaar
TLSH	5C15DF2F31D11D88F9EE4EFE5E3558E35F67F89FC622914B2A31506900FA148B929F18
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: mail6.kergyoilfleld.com
Sending IP: 161.35.235.26
From: Saleem MD <tawee.ku@panuspoultry.co.th>
Subject: RE: RFQ
Attachment: PO47828110.gz (contains "PO47828110.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39559/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.2307.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/411180

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa629febbaa577cc72e7a001df96a0afc08094ea57493bbc77857d9996cd3019/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-05 11:22:52 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vjrj7252uv34y4xhuaa57fvav7aibfhkk5etxpdxqv6ztfwngamq._file

Verdict:

unknown

MassLogger

0fb431964ede898512c981a18eb6a12bf7304c8a858bb61a0ca4280bfdbe6898

MassLogger

114ba0c81a5ac12f589504d2693d6cb0a845e119bf305fc9eb7b8e756b385f91

MassLogger

4534997b5b146c7caebb2f398e7ea0f2bbf434af23155ad13b0acd09b0487325

MassLogger

6077a9d47232d6bb6425891c5c71096e21e4f961fa4b882004c4574a23321ab9

MassLogger

95d334eb3cabab89dede94fa1fdfb66560e7ca453ac25be1729a5c0d2e783934

MassLogger

a9f8d8a5503dca2d63d36e17041e6d065a6bf7bad41c000dd6d5a1e73d18d786

MassLogger

b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31

MassLogger

cf9aa52cd8829760f779772b7b483ff039100b5d6311c85f969553b6ce66d58b

MassLogger

fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437

MassLogger

+ 668 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200805-xyzdhsx8mn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/aa629febbaa577cc72e7a001df96a0afc08094ea57493bbc77857d9996cd3019

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz f2430b9885932e660140dd1c94ed2b12271053e4f2fd5e23e32354813c2d0c4c

MassLogger

exe aa629febbaa577cc72e7a001df96a0afc08094ea57493bbc77857d9996cd3019

(this sample)

Dropped by

MD5 37583a1c69b3e0a80a7967758200b3c5

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 f2430b9885932e660140dd1c94ed2b12271053e4f2fd5e23e32354813c2d0c4c

Cape

https://www.capesandbox.com/analysis/39559/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample