MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd99f6b970cc52ee725dd1b734a440243655a3fbc1e2304a665b29d41477c25b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	bd99f6b970cc52ee725dd1b734a440243655a3fbc1e2304a665b29d41477c25b
SHA3-384 hash:	732dcced5565cbf332b512dfdb8031215f30c3cce82ae0796247d7b781c8e6d437ccf7eebc1a9d2a3c76b19cc581f8ab
SHA1 hash:	fdec6711f508bb2277f84cb60e8e2bee2353f141
MD5 hash:	d13df375594402f6b205f37d23a4fddc
humanhash:	johnny-rugby-illinois-edward
File name:	Mehmet_inquiry_00382392_176372.pdf.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'378'304 bytes
First seen:	2020-08-28 05:58:52 UTC
Last seen:	2020-08-28 07:04:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:YlWnTDXFW+kQ/HNzcSgq8Fp1ZeEuZPMnCyLS5D:hXXFJfHZcShwp1IT
Threatray	40 similar samples on MalwareBazaar
TLSH	BB55C042B2058A49ED5739F6182ED4B490767E9ED235D14CEEC37F2619F334A201AF8B
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: server0.vuetrade.pw
Sending IP: 159.203.18.176
From: Mehmet Necmettin DOĞAN <sales@vuetrade.pw>
Reply-To: janedoem95@gmail.com
Subject: fwd: RFQ: 028432// Inquiry.
Attachment: Mehmet_inquiry_00382392_176372.pdf.r00 (contains "Mehmet_inquiry_00382392_176372.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Generic.mg.d13df375594402f6.30603.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/453238

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd99f6b970cc52ee725dd1b734a440243655a3fbc1e2304a665b29d41477c25b/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-28 06:00:13 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xwm7nolqzrjo44s52g3tjjcaeq3fli73yhrdastglmu5ifdxyjnq._file

Verdict:

suspicious

MassLogger

30690dd57acb0fdd1b40b8985089381f463d9cc0601605782624283be72be025

MassLogger

3309682d4e7fe2d802cbe22c698b31d93e4d35a5ee611aedabc1f6e1f6a96e46

MassLogger

4c61b7e22d734c70904acd8b8c64f5e40aa837729bbcec8d50f11addfb652963

MassLogger

516b29be6f0d91a249adca2b26381bfa5b90cf6a643d1b621095c6425a74795b

MassLogger

65dc5eae6aba498e459af4ab782d21cf3708141b3886226a9e31c407b6d9aa8f

MassLogger

75692c6d88025cd8de4afa58076bd2dfe2b3adbf536c13513bf1f9b99811e143

MassLogger

829abf5ae6cc64c2099d4e8f5160877ee47f82d9d8c29f24b47cee0aad726986

MassLogger

9b79d0622124809cc47cc7b7423db95a0aae0f37a60d6a224e181f846ef6206d

MassLogger

b7f19729b194bac7f587a7cc19778e925a218fec8106b23466367b2847b99ea2

MassLogger

+ 30 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200828-apnflbth4s/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd99f6b970cc52ee725dd1b734a440243655a3fbc1e2304a665b29d41477c25b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf