MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d289aa3e60f3ab62850fb533294c99a08995da13ec6d73ed23a0d1d2312ab1c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	d289aa3e60f3ab62850fb533294c99a08995da13ec6d73ed23a0d1d2312ab1c3
SHA3-384 hash:	4fb134b3a158744ca5d78b47fd032c58e599707537aca14a6cb5fc2b0a5cf492ae9599cf4e22bd7e7ca4a8bc9e74b560
SHA1 hash:	ce2f3e0bf426322c339e3ceddb2821daf56f1a2a
MD5 hash:	6a6e34875503fc2c9027178d8d3df68d
humanhash:	muppet-friend-skylark-utah
File name:	Alhammra RFQ 004-001102.PDF.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'236'480 bytes
First seen:	2020-11-05 15:41:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:xWv19GREqB8KIB+15receTr/+6u4B3xXNV3Vt0t3sf:QvGREqWKG+156OZUXf3P0t3w
Threatray	480 similar samples on MalwareBazaar
TLSH	C745D0F66286EA6AC80F013FF84B25A193D9CF2D99FC914647C5B119127C7CE52AC4CB
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: whmsrv01.virtualariki.com.br
Sending IP: 177.11.209.2
From: Miguel Alonso <malonso@alhammra.com>
Subject: Alhammra Request for Quotation
Attachment: Alhammra RFQ 004-001102.PDF.r00 (contains "Alhammra RFQ 004-001102.PDF.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/83315/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Launching a process

Reading critical registry keys

Creating a window

Unauthorized injection to a recently created process

Creating a file

Setting a global event handler for the keyboard

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d289aa3e60f3ab62850fb533294c99a08995da13ec6d73ed23a0d1d2312ab1c3/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-11-05 10:57:48 UTC

AV detection:

14 of 48 (29.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ke2upta6ovwfbipwuzsstezucezlwqt5rwxh3jdudi5emjkwhbq._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

3a5b1c9c7e10e40551f26dafe302f056f86ce6c6c138a96b0b79389a095b7fca

MassLogger

3b8067fda3a018631e93bcc5e5ab73c56adc91c4964c45c092d42f2cc9acea6e

MassLogger

43c2d2c8e89ca3617e9521d6218b2d3c5f9e29b41b591622c658471b01b718f9

MassLogger

598c61af922c9ab00a48daeba9d332c43d81a6a086ed2d77725a194da21b79fd

MassLogger

5a5976b32040e3bce487b8afdfa60ffb87a810b3b65aabb42ee1e66300f0b0af

MassLogger

7bbb0115208c57bc42a9801afbdfeac6b417269c16739787c4f7a792bfa94c88

MassLogger

bd902536f41381af747346fb45f79e16204c8463418570f5681d9788777c5e76

MassLogger

ee126cf35bbdcf2b2e8bbff8f27371910f9037799d4a3f5dbba16e5dc39797e7

MassLogger

fa4b68c46fd7d4f0d304d9ae66988a45ce8fba53a600ec2b29e9d0ad89517f23

MassLogger

+ 470 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

persistence family:masslogger spyware stealer

Link:

https://tria.ge/reports/201105-qxpjmc3zhe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies service

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/73ba771f-c1cc-4cbf-96bd-e0e0fdc75bc2/

SH256 hash:

42c5df6dc355d4ada4d4354bf8752ec6f37445edce51ed66392aa3e995a9ef3b

MD5 hash:

6033ed9d8411903821a7bf81ea253700

SHA1 hash:

e88379ad52489ec7046e390d9f1554a70b8819f5

Link:

https://www.unpac.me/results/73ba771f-c1cc-4cbf-96bd-e0e0fdc75bc2/

SH256 hash:

b07eb1b18052fe02e2dee07f5d65bbb906163a364690bdbeb599d64882a49c61

MD5 hash:

4bf951387d15470b044fa63427cd03aa

SHA1 hash:

f582cfc299b4a63ea7cbcdd6e61fb39020c326c0

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/73ba771f-c1cc-4cbf-96bd-e0e0fdc75bc2/

Parent samples :

d289aa3e60f3ab62850fb533294c99a08995da13ec6d73ed23a0d1d2312ab1c3
4fe6f0c6283425f0589192cad9f392ce4d2bbfe085b8cc47b91eb2508c6ab2c7

SH256 hash:

d289aa3e60f3ab62850fb533294c99a08995da13ec6d73ed23a0d1d2312ab1c3

MD5 hash:

6a6e34875503fc2c9027178d8d3df68d

SHA1 hash:

ce2f3e0bf426322c339e3ceddb2821daf56f1a2a

Link:

https://www.unpac.me/results/73ba771f-c1cc-4cbf-96bd-e0e0fdc75bc2/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf