MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0d7806609d30bdbfcb6e56320094558d6f3cd2c2c3f0e8e4479475d69160c41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0d7806609d30bdbfcb6e56320094558d6f3cd2c2c3f0e8e4479475d69160c41
SHA3-384 hash: 45bca0b81986f1c926d6aa12a30daf322dd4b89f1949f32478133391f34b6a2f3fe340bcf94677e178361b3682fa8e20
SHA1 hash: 0ac932abd32c442933c91a6a5821f8a6e14d44f4
MD5 hash: 8874ea0ece51fe06e3a7dc092772da57
humanhash: minnesota-wisconsin-grey-beryllium
File name:FHCQ1YC0JqmEr9D.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:992'768 bytes
First seen:2020-10-13 10:36:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:+v6ULQpzErp36b+C6/intIxaiZcFhLdxgG6AVqi6zNL:+SULqzK5QkaNDQG+R
Threatray 330 similar samples on MalwareBazaar
TLSH 5E25121033B86B63D43EE7FD1226A0402BB5361B2461F61DEEC255DF6939F260681FA7
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: panelhosting3.indosatm2.com
Sending IP: 202.155.27.141
From: Daniel Zhao <andrea.kovacs@gpipharma.ie>
Reply-To: Daniel Zhao <rahmati@kitoenterprises.co>
Subject: Re: Payment
Attachment: Payment 10132020_pdf.iso (contains "FHCQ1YC0JqmEr9D.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70378/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3009.28267.29331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/489518
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0d7806609d30bdbfcb6e56320094558d6f3cd2c2c3f0e8e4479475d69160c41/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 06:03:51 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdlyazqj2mf5x7fw4vrsackfldlphtjmfq7q5dsepfdv22iwbraq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e
MassLogger
08c7131cac4c6c62004d8b2e3ce0b85d1b35e7325f753a865206814cd87ecdf4
MassLogger
2ab05797cf729e2a8c82cdfee67089f8378297c3b21379d11465207e681f2d1e
MassLogger
2fea8f7c727460dfd943dce7f9bb051f188f37a0150a132039a1892f18749ff3
MassLogger
5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99
MassLogger
779ef456127a144ebaa7485d4109add0574ec267fc350d4d3493d77631a56fde
MassLogger
88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221
MassLogger
a2b0e9c1ea03a3a538fe9ef7f8e6dbf4c08feba8560e238e29fce0dd2f2e144b
MassLogger
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
MassLogger
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
MassLogger
+ 320 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201013-789la1sbmj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
b0d7806609d30bdbfcb6e56320094558d6f3cd2c2c3f0e8e4479475d69160c41
MD5 hash:
8874ea0ece51fe06e3a7dc092772da57
SHA1 hash:
0ac932abd32c442933c91a6a5821f8a6e14d44f4
Link:
https://www.unpac.me/results/e03060a8-b29e-403b-8146-155fba0fed21/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/e03060a8-b29e-403b-8146-155fba0fed21/
SH256 hash:
d5962386b0000b89f6415c79991d3c77d643b67a3cf3d5ddc7467b52fecf4ca4
MD5 hash:
6e30ffd4d95cd8188f795d58d9c478fb
SHA1 hash:
a40640a71853cc2242b9c9b40e85801d618f5fb7
Link:
https://www.unpac.me/results/e03060a8-b29e-403b-8146-155fba0fed21/
SH256 hash:
c103e62f4c48d1461494c8461fffb58ffc71dff02d1026027b195ac68df42884
MD5 hash:
607e1c02a11e1ab76b2995376b6e69af
SHA1 hash:
e349990808aa07165ba77a8ffa73b57a38f8a3d3
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/e03060a8-b29e-403b-8146-155fba0fed21/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/b0d7806609d30bdbfcb6e56320094558d6f3cd2c2c3f0e8e4479475d69160c41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

iso 4641c9cd9679e66bb5d69cb6a9b406e516a5cde6e22943a4ef783c32a1a287d1

MassLogger

Executable exe b0d7806609d30bdbfcb6e56320094558d6f3cd2c2c3f0e8e4479475d69160c41

(this sample)

  
Dropped by
MD5 0f9721713fc666d3dd923846d8149392
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70378/
  
Dropped by
SHA256 4641c9cd9679e66bb5d69cb6a9b406e516a5cde6e22943a4ef783c32a1a287d1

Comments