MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808
SHA3-384 hash: ee0dc4c431c4b51b29f00371f8ec21e59ad8a0a078e4bbb082b97ea933433c06efb6debcab388b53bb62e710dbb56ff7
SHA1 hash: 85d172a9d92ac6ffab2ef770f5a2ae24cdbb4c48
MD5 hash: 821588141f7c3924556263205d554729
humanhash: finch-pennsylvania-glucose-fanta
File name:SKM__C20192910887888001990.pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'193'984 bytes
First seen:2020-11-05 09:44:15 UTC
Last seen:2020-11-05 15:49:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:Lgpsfizp1UwGR/B5o+SlCEIaHm0QqIkRrlGvM8u2:Lgpwo1po/B5sFIaH5IkRZWQ2
Threatray 468 similar samples on MalwareBazaar
TLSH 7945D0F66342EA6AC80F047FF84B26A183D9CF2D95F8814657C5B11D137C6CE96AC08B
Reporter abuse_ch
Tags:exe geo MassLogger TUR


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: esamakine.com.tr
Sending IP: 180.214.236.23
From: Eda HACIHALİLOĞLU ESA <edahacihaliloglu@esamakine.com.tr>
Subject: RE: yeni sipariş
Attachment: SKM__C20192910887888001990.pdf.r00 (contains "SKM__C20192910887888001990.pdf.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83178/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.58565.32418.25357.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521223
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 01:56:14 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zimoslyowyipslhabc3qrlg4uwlj6meoggpv6euatfiussg33aea._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0b741b53e9abfd7d5147eff7fa963976a776e8bedb99d08ae6e7288525823a59
MassLogger
37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
MassLogger
88801297a310f88fd29cf5b1e9066eee829a6bf43fe65108f4bc64932b1e845b
MassLogger
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
MassLogger
ac0ca89c2e434d4128516896f5563003a1179583181d0d1fd06754f06ab4deed
MassLogger
c58a7945058bbff6a2bf9aed5ba18ae7aa69cdd935fdafd6df4873680dc8a49b
MassLogger
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
MassLogger
d98beb65dff0d8e1963f1cc7df755e273bbe45c8143b556bc9a84bcfd0cdea78
MassLogger
e6dfcee5a6edf1015136b0173ff2bb953982545f581ecf4a6fdd922c2818c609
MassLogger
f6c28a76b12ddb94037c6cac0426ba87fb3201634731b901f66aecc15d5a98be
MassLogger
+ 458 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201105-hahf1zx6re/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808
MD5 hash:
821588141f7c3924556263205d554729
SHA1 hash:
85d172a9d92ac6ffab2ef770f5a2ae24cdbb4c48
Link:
https://www.unpac.me/results/4cf42f57-76e6-4ae0-856a-43047ffba73e/
SH256 hash:
6db6716a353ba7a3546313f54c004128da4951a0fbd91cde640116c9626ff482
MD5 hash:
d62cc3fdc6fa8bd75f1a6026b5a176b8
SHA1 hash:
1650b1546296b82c1455191a44302c55cc4d878d
Link:
https://www.unpac.me/results/4cf42f57-76e6-4ae0-856a-43047ffba73e/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/4cf42f57-76e6-4ae0-856a-43047ffba73e/
SH256 hash:
d2e8fdda571fab2369b8ef03a31599cca12769b671f4b6fdd834be409c69e325
MD5 hash:
7812283b6755d64387b920d1647e23a7
SHA1 hash:
5de53822f2b69758fdd44cd4acff130fd3e1499d
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/4cf42f57-76e6-4ae0-856a-43047ffba73e/
Parent samples :
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
37899ec2bb2af9ca237b54707d5e7fdff2618bbe743144f71a3338de8bca2c62
ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 c1089d2ab0dec80be8b857ddf5d1f8df7b41a7aa540cdea71de7dc52d90d8a8a

MassLogger

Executable exe ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808

(this sample)

  
Dropped by
MD5 7875977da9bd958ebba147140ac30a7a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c1089d2ab0dec80be8b857ddf5d1f8df7b41a7aa540cdea71de7dc52d90d8a8a
Cape
Cape
https://www.capesandbox.com/analysis/83178/

Comments