MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1eb825c340f71f623701f1bd53ecdc89ffc44a7598f51efc6c1febb8e6439e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	c1eb825c340f71f623701f1bd53ecdc89ffc44a7598f51efc6c1febb8e6439e6
SHA3-384 hash:	cebddad728cfd663497218673defaf38d9b286e782da1068d9e78e248b08c20e6c23829fd8d50f9bf19b45546656d56c
SHA1 hash:	afa9dae1b5575371f54eafa93c17ec10c79ec21c
MD5 hash:	fcec6c7bdf33a7154f7b569495fc6e7c
humanhash:	fix-river-uranus-lemon
File name:	payment.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	584'192 bytes
First seen:	2020-08-13 14:03:13 UTC
Last seen:	2020-08-13 14:54:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:POjK7ukhRCb7EjmpteJ//Lt5CNYpnv+lUMrRtf4LXuqjq20:POjK1hRCb7/pti//LPnJY1F4zq20
Threatray	532 similar samples on MalwareBazaar
TLSH	EFC42320B7CCA13AD3321732A175F7F787324E56041BEA5B7D4C48DDCA10B9A15B2B66
Reporter	abuse_ch
Tags:	exe HSBC MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: we.webtechcool.live
Sending IP: 45.95.171.44
From: HSBC<customer.care.team@hsbc.com>
Reply-To: HSBC<ammarzamir@yahoo.com>
Subject: Payment Advice - Advice Ref:[GLV614321555] / Priority payment / Customer Ref:[INTERCOL]
Attachment: Payment Advice - Advice RefGLV614321555 Priority payment Customer RefINTERCOL.img (contains "payment.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Generic.mg.fcec6c7bdf33a715.7827.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Deleting a recently created file

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/426519

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1eb825c340f71f623701f1bd53ecdc89ffc44a7598f51efc6c1febb8e6439e6/

Threat name:

ByteCode-MSIL.Backdoor.Crysan

Status:

Malicious

First seen:

2020-08-13 14:05:06 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yhvyexbub5y7mi3qd4n5kpwnzcp7yrfhlghvd36gyh7lxdtehhta._file

Verdict:

malicious

MassLogger

065011f5098f869c79ff098a104765fa08050cfef16bac98b0944108de1ebee4

MassLogger

1bf67b967c8397bfab22e326bce6efa64c647206102d4753569ba1abb538d685

MassLogger

20be971374f0ffd1224aafed410fdb30e3340788a7dd80747dd18f3ef0f8168d

MassLogger

3fc0677051b6ed2a651080ba5eeb17e10d78e82f68f86c5d27a3394107b0f74e

MassLogger

89af10238032ab225e998887850c3910abd7183e67018abfe56b0bdebf2d50d9

MassLogger

9810f656629ec1a2c0957a8d650b6caf1f9431e91c8a9516744636fbd39d54a8

MassLogger

a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

MassLogger

a89a031dfd0e3e2a92183bf3741f42668132dd8a4dc852bfe142159e0963d03f

MassLogger

c27a39381e1034e23c04713893907c51596a6215a6fb1932281520c17aae8646

MassLogger

+ 522 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200813-e89vhqrdp2/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/c1eb825c340f71f623701f1bd53ecdc89ffc44a7598f51efc6c1febb8e6439e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.