MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab62f6c3ea852d99ce529f9c61012ab324bb007f79cc6cba9c8f6c1aaba4c561. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab62f6c3ea852d99ce529f9c61012ab324bb007f79cc6cba9c8f6c1aaba4c561
SHA3-384 hash: 6950ce2f056a71637edb8c56bf90943392131096957f55984908c56da84de5ad3b5011447685d0a9542b7487e5c7211d
SHA1 hash: 4f378985dacdb0b3946c78b7d00d6c4aea818990
MD5 hash: e5af584615b29660064534259befcb97
humanhash: coffee-iowa-march-solar
File name:SCAN BL.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'586'946 bytes
First seen:2020-08-19 14:01:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:JAOcZypn/+u3JFlptm1tZ8PlK9mAobJ8uVmDpQnVCJN0Gxg539FQZMaBQiRtM:jP/+mMtKoouuVmDpvJNxw96ZMARG
Threatray 246 similar samples on MalwareBazaar
TLSH 9E752302FAD688F1C5721E32582ABB129D3D7D304E15DA6FE3E41D7CDAB41D0A6247B2
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: mail.winnerscreations.com
Sending IP: 182.163.126.199
From: Martin Fahd <martinbertold@martinbertold.hu>
Subject: Scan BL
Attachment: Scan BL.r00 (contains "SCAN BL.exe")

MassLogger SMTP exfil server:
mail.ziv-investment.com:26

MassLogger SMTP exfil email address:
engine@ziv-investment.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
MassLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48598/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Sending a UDP request
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/438360
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271649 Sample: SCAN BL.exe Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Yara detected MassLogger RAT 2->45 47 Yara detected AntiVM autoit script 2->47 49 5 other signatures 2->49 7 SCAN BL.exe 40 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\...\xgsxc.pif, PE32 7->25 dropped 10 xgsxc.pif 3 7->10         started        process5 file6 27 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 10->27 dropped 51 Machine Learning detection for dropped file 10->51 53 Writes to foreign memory regions 10->53 55 Allocates memory in foreign processes 10->55 57 Injects a PE file into a foreign processes 10->57 14 RegSvcs.exe 15 6 10->14         started        19 mshta.exe 10->19         started        21 mshta.exe 10->21         started        23 5 other processes 10->23 signatures7 process8 dnsIp9 31 mail.ziv-investment.com 198.54.126.78, 26, 49747 NAMECHEAP-NETUS United States 14->31 33 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.203.47, 49746, 80 AMAZON-AESUS United States 14->33 35 2 other IPs or domains 14->35 29 C:\Users\user\AppData\Local\Temp\...\Log.txt, ASCII 14->29 dropped 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->37 39 Tries to steal Mail credentials (via file access) 14->39 41 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->41 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab62f6c3ea852d99ce529f9c61012ab324bb007f79cc6cba9c8f6c1aaba4c561/
Threat name:
Win32.Spyware.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 14:03:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnrpnq7kquwzttsst6ogcajkwmslwad7phggzou4r5wbvk5eyvqq._file
Verdict:
malicious
Similar samples:
4d13350ebf3d38475a0a4a8c223fe6c06e00af3585eb499f60e29639b3944d3f
MassLogger
5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9
MassLogger
62a7f441ba21aaa568fe700029fa32d6dd7eeb2ed0a7f7259a680f2aae65ee31
MassLogger
7fce676b063449eecd1236727598513639a7fd166d6e2f86dce138b97636d572
MassLogger
90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b
MassLogger
9987d8c52079b322db5a969a6c8aca4858262e6bf895d644d2f8c87bee0ec649
MassLogger
a30dd99039152a76aacb5607d79b400098d9cd24350c0121fe4f7811177c0dbc
MassLogger
a943fc4408c2f59f2df0afabf3836e5adae92a8f4a4b1da0270e313d8ea78445
MassLogger
cbf010e4d58f12ac1a0ce0ef5e29636c13a3a6ee5b052aae7cad7e9a95448276
MassLogger
d6c73d397215d259bfb6168e9c0a6c29bb8e684509877e0ec62aba0c817a25fa
MassLogger
+ 236 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200819-e1seclfnn2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NanoCore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab62f6c3ea852d99ce529f9c61012ab324bb007f79cc6cba9c8f6c1aaba4c561

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 2a8332b73a8ce0c6bc1fb3f0888869737c4e5f43cb485318896422f1d973ab7c

MassLogger

Executable exe ab62f6c3ea852d99ce529f9c61012ab324bb007f79cc6cba9c8f6c1aaba4c561

(this sample)

  
Dropped by
MD5 63b2fd1e0ef5aebb5306767a4e02bf6e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48598/
  
Dropped by
SHA256 2a8332b73a8ce0c6bc1fb3f0888869737c4e5f43cb485318896422f1d973ab7c

Comments