MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b929c43ad6f3aefd59485197209608aee28ba2517eba13c2cdf2fe8c6a3d1d5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b929c43ad6f3aefd59485197209608aee28ba2517eba13c2cdf2fe8c6a3d1d5d
SHA3-384 hash: 1b8939332307a1744dceac3105f89e530b3b81159a169f96c2fbdd238accc7447a9b838abfb1f0e8af930c69d7d61950
SHA1 hash: 56222b109f96af4bc3db178f5a84ec9282553bb8
MD5 hash: e08e4eed875f9d63a180d0e637f3b548
humanhash: blue-sink-mobile-harry
File name:Oustanding payment.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'186'304 bytes
First seen:2020-07-08 16:51:19 UTC
Last seen:2020-07-08 17:58:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:Ftjbkql1oTcPt5i9Yzkkogvfu2DslhtWkslhtWp:Ftr1F5iEop22htWJhtW
Threatray 1'456 similar samples on MalwareBazaar
TLSH F145F135B7A59A01CB7E4F32D86302009E76A46B6E06E68F7ECC25EE4C977043A47717
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: champalalgroup.com
Sending IP: 185.199.226.222
From: Lata Nair <anil@champalalgroup.com>
Subject: Urgent request
Attachment: Oustanding payment.rar (contains "Oustanding payment.exe")

MassLogger SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.372.23556.3379.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading Telegram data
Creating a file
Reading critical registry keys
Moving a recently created file
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b929c43ad6f3aefd59485197209608aee28ba2517eba13c2cdf2fe8c6a3d1d5d/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 16:53:04 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xeu4ioww6oxp2wkikglsbfqiv3rixisrp25bhqwn6l7iy2r5dvoq._file
Verdict:
malicious
Similar samples:
1ae52558dadc5c5b388c0a64b6e54ead3280540b5a1db2d90f20d960257004dd
MassLogger
37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728
MassLogger
4e58097d79300ae809d5217574143329645024690feef18106d9f009653fbb95
MassLogger
4fa82bcc428147d23e5abc86fb9bfdc61829d91094659e74250ac43ab9a73ab4
MassLogger
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
MassLogger
848b8d647cdae7cf35f1322fb01fa3aa122c3d783bfa7b66791ec4ed1a66fef5
MassLogger
c62691c81bf080e70b24824537d2abc3a88ff1c554b3c2d2727e06024712eefe
MassLogger
d3585150a0d7118b7d4dd19bb781d4eee5887fa56bdd61a337181a9ff24f023f
MassLogger
d47f5168e5b3b521b9e2722207e1fcf5be168c8dab409ffd575cba8c08fe1f9e
MassLogger
f9397a0438f1e3a8d03aa326dc4910482df49dd295228d9a4dda1f55247fd6e3
MassLogger
+ 1'446 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/200708-3p5c9f35gj/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

109f9a4f76e4574292d520eee051f52e

MassLogger

Executable exe b929c43ad6f3aefd59485197209608aee28ba2517eba13c2cdf2fe8c6a3d1d5d

(this sample)

  
Dropped by
MD5 109f9a4f76e4574292d520eee051f52e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23287/

Comments