MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c275838c21fb95937bac4d383e415c16170a5fa05706c1f1939020beac90f2f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c275838c21fb95937bac4d383e415c16170a5fa05706c1f1939020beac90f2f9
SHA3-384 hash:	8199a7849f13b5d53bd3b7408cddfd2922653825e1cc54c5e77067381b342bbff5e3b4a089c29ab13a7fb5b7b819d838
SHA1 hash:	8505ac5672044e622bc6723b0f744c418cb6599a
MD5 hash:	0956ac30bf36b3ec07b9a58a8c4cb1c4
humanhash:	indigo-nebraska-march-oxygen
File name:	COT.1062.UGTO.JOSE LUIS NAVA.pdf.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'035'264 bytes
First seen:	2020-10-21 08:08:32 UTC
Last seen:	2020-10-21 08:56:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:iBuHjw1PDIQmgTNVtpzoHRzGw490mAu2LBN:iBuHk1PDIQm4ptrzhEB
Threatray	374 similar samples on MalwareBazaar
TLSH	CB25F12122989B25E5F963381F20D17023F5ED2AE3A2D54A3DE57C9F39BEF430561722
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: host.digitrafico.mx
Sending IP: 209.59.151.64
From: KEM Guanajuato <ventas1@flexijuntas.com.mx>
Reply-To: KEM Guanajuato <officejb01@mail.com>
Subject: COTIZACIÓN 1062
Attachment: COT.1062.UGTO.JOSE LUIS NAVA.pdf.gz (contains "COT.1062.UGTO.JOSE LUIS NAVA.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/73891/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34843418.32038.20322.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/505395

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c275838c21fb95937bac4d383e415c16170a5fa05706c1f1939020beac90f2f9/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-10-20 20:10:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yj2yhdbb7okzg65mju4d4qk4cylqux5ak4dmd4mtsaql5leq6l4q._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

08d49c14a81bc6b95397e6c0adc1efa3325fd00cd3ba6c7083353f7d93be1429

MassLogger

469a999081f85b628a17c458feaa87c21afa26376275c374551917bb50b0bb95

MassLogger

5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99

MassLogger

6fa989b62b63aaded7491064aa90066cbd99de488e716314295b2a4616f4b46c

MassLogger

88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221

MassLogger

a8a0ccb327ebc5fce7c9a2086cea22103467000ecda8f66b57c4af0b9536e81e

MassLogger

ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de

MassLogger

d26348ff173c06f51df8320d7aa56c94f37f62bd24ef43cb1527f723815caa6e

MassLogger

fa655773a5d44061edbaeedb2b3e31597bcefe870c47fdefdb39ea0bb072d31d

MassLogger

+ 364 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201021-ztbc12pale/

Unpacked files

SH256 hash:

c275838c21fb95937bac4d383e415c16170a5fa05706c1f1939020beac90f2f9

MD5 hash:

0956ac30bf36b3ec07b9a58a8c4cb1c4

SHA1 hash:

8505ac5672044e622bc6723b0f744c418cb6599a

Link:

https://www.unpac.me/results/eb64ec0d-b832-4d11-9bbd-ee2cf4c9c0b8/

SH256 hash:

4322743fc9261f8ac64a31481dce3d3072ce586d3d8da7996c93d9a9858162fa

MD5 hash:

cc144c1adc6f36f930e08cd85235b3d2

SHA1 hash:

9e132a59ca328565380119bf6a555d5001b27417

Link:

https://www.unpac.me/results/eb64ec0d-b832-4d11-9bbd-ee2cf4c9c0b8/

SH256 hash:

6f787f3996de5be8dea8db55731910021952c47476ced479be6234b397a3d6e2

MD5 hash:

7af14151bc2380ac6dcfbbf6767c2fc1

SHA1 hash:

9e1534bc688372eb83cfcccf5dab48e69cecfcaf

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/eb64ec0d-b832-4d11-9bbd-ee2cf4c9c0b8/

Parent samples :

6fa989b62b63aaded7491064aa90066cbd99de488e716314295b2a4616f4b46c
d26348ff173c06f51df8320d7aa56c94f37f62bd24ef43cb1527f723815caa6e
c275838c21fb95937bac4d383e415c16170a5fa05706c1f1939020beac90f2f9

SH256 hash:

30bb6b1c0785faedba1c201f8899ffdae9f023c40586013aaaca9b55e60ca3bd

MD5 hash:

b66b02896b4decd4c6e30140534e7ba9

SHA1 hash:

b6fc81168b9fb5c46a8ac284a485fb0f087901ea

Link:

https://www.unpac.me/results/eb64ec0d-b832-4d11-9bbd-ee2cf4c9c0b8/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/eb64ec0d-b832-4d11-9bbd-ee2cf4c9c0b8/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz ff179266bafaed8e19b2230c36e8f94fde238ea38ea05759bb1b45354e2e3d31

MassLogger

exe c275838c21fb95937bac4d383e415c16170a5fa05706c1f1939020beac90f2f9

(this sample)

Dropped by

MD5 e96332d219ece9a4ac813ed2eaa3d9cb

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/73891/

Dropped by

SHA256 ff179266bafaed8e19b2230c36e8f94fde238ea38ea05759bb1b45354e2e3d31

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample