MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfda81fea66e56fe0f6a8eed267b836f31c7c3f1d7ecdf08fb0c13f8203e7dcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	cfda81fea66e56fe0f6a8eed267b836f31c7c3f1d7ecdf08fb0c13f8203e7dcb
SHA3-384 hash:	3e5a672a75d2c5e34cfc197a2de34770706903a5621f0d572cdb50ef67dde45cf4a92d9ea826eed9870915b83072f31f
SHA1 hash:	b1dcffd542eb1123ae64b0bf8cf9339af6a85098
MD5 hash:	c172a477598f4eff49d80ac81946c3cd
humanhash:	artist-quiet-cola-purple
File name:	purchase order.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	159'288 bytes
First seen:	2020-10-30 13:27:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:Vh1p3tYawRCfFjldUuetoZFDoupEcMbBUKy:VhLScPZ+y
Threatray	36 similar samples on MalwareBazaar
TLSH	30F3A383B9859851EC693B7575337D3F01776EE56936E34A489BB3E20FB32860323642
Reporter	James_inthe_box
Tags:	exe MassLogger

Code Signing Certificate

Organisation:	Adobe Inc.
Issuer:	DigiCert EV Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Jan 31 00:00:00 2019 GMT
Valid to:	Feb 3 12:00:00 2021 GMT
Serial number:	06F24D9F4DB07BD7ECAD067F5EE26C29
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	F1D08D7B98504370C1D5C40DCD8D8DCEAB084E9095CEF544465C445A374A18B0
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/81235/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %AppData% subdirectories

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a window

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/517002

Signature

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cfda81fea66e56fe0f6a8eed267b836f31c7c3f1d7ecdf08fb0c13f8203e7dcb/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-10-29 22:23:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z7nid7vgnzlp4d3kr3wsm64dn4y4pq7r27wn6ch3bqj7qib6pxfq._file

Verdict:

suspicious

MassLogger

2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b

MassLogger

36e711a66774ed0b6457f8d442315a4d1b5d06781a8ab1254abda5ba824bb816

MassLogger

5b832740ae1f2a5c2c10e37aadd6d0b74d647a9ff853f091a2262ef0ae2c672c

MassLogger

a9cdbfef9598908dcd196e0ecc0f4a76ab2e4a0952334c7ccfc12d74f1fd7060

MassLogger

b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c

MassLogger

d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72

MassLogger

e9f6a306988f2ef722e09399f0473f0d8623b23da0de1bb32e58e91d21a356e3

MassLogger

ea7a3ae571da4778b074b401b955e1a8d8a9470bc72a7e3e45880a8f7223e652

MassLogger

f132a49b6940edaa008fdf3b73fb80ffec67e83ff8ffd8eec657386fda9c48a5

MassLogger

+ 26 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger persistence spyware stealer

Link:

https://tria.ge/reports/201030-yrf6wf1nts/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/81235/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample