MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb
SHA3-384 hash: 2b755952daa9beb08a4f1641ca2f97ff344cfbf9a3f03711eaa6c4a2726f75aba292bae4f9d2919f32981b701e43d584
SHA1 hash: 35667d2f6aa4f06ad2e0de80cb2b54424671cb0d
MD5 hash: 8fd5cc075d71bcc33cf6e7d6ce4c9afb
humanhash: blue-single-magazine-tennis
File name:KKKKK.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'025'024 bytes
First seen:2020-08-31 06:01:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash abbb4ff674d361f4d977ae3c60a46e79 (9 x MassLogger, 1 x AgentTesla, 1 x FormBook)
ssdeep 24576:809b/Gmkg3vhuZFtBNsnE3MBoySzG/4mwOh:82GY3vi3SEMFSzy4mJ
Threatray 375 similar samples on MalwareBazaar
TLSH 6525D023B2F04932C0A6167D9C1B97B49D29FE513A249D462FF5DD0C9F39F9038262A7
Reporter abuse_ch
Tags:DHL exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: auth5.cpanel.net
Sending IP: 78.142.208.30
From: DHL <info@sieska.com>
Reply-To: noreply <noreply@garanti.com.tr>
Subject: RE: DHL Shipment Notice of Arrival: AWB 91-2340799
Attachment: RE DHL Shipment Notice of Arrival AWB 91-2340799.rar (contains "KKKKK.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BScope.Trojan.Kryptik.9879.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file
Unauthorized injection to a system process
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454916
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279839 Sample: KKKKK.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected MassLogger RAT 2->44 46 4 other signatures 2->46 9 KKKKK.exe 2->9         started        12 wscript.exe 1 2->12         started        process3 signatures4 48 Detected unpacking (changes PE section rights) 9->48 50 Detected unpacking (creates a PE file in dynamic memory) 9->50 52 Detected unpacking (overwrites its own PE header) 9->52 54 6 other signatures 9->54 14 notepad.exe 1 9->14         started        17 KKKKK.exe 3 9->17         started        20 KKKKK.exe 12->20         started        process5 file6 56 Drops VBS files to the startup folder 14->56 58 Delayed program exit found 14->58 36 C:\Users\user\AppData\Local\...\KKKKK.exe.log, ASCII 17->36 dropped 22 powershell.exe 19 17->22         started        60 Maps a DLL or memory area into another process 20->60 24 KKKKK.exe 2 20->24         started        26 notepad.exe 1 20->26         started        signatures7 process8 file9 29 conhost.exe 22->29         started        31 powershell.exe 16 24->31         started        38 C:\Users\user\AppData\Roaming\...\KKKKKKK.vbs, ASCII 26->38 dropped process10 signatures11 62 Deletes itself after installation 31->62 34 conhost.exe 31->34         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-30 20:09:47 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dhka6aztw666upmoge46a2udo6l2egetijtwgdtjdrket7b4lvq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
trickbot
Create hunting rule
Similar samples:
234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c
MassLogger
669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9
MassLogger
8bd39d451b99909467edb3df6618762071da426ee580108882e300cf8b21b0cb
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3
MassLogger
ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366
MassLogger
c0cb41070b74fa0e592f10c6d5312e55009f1cc884bd1c242591bc75c5f9e5eb
MassLogger
d7b0da0e8ccc1474692b0d96320de2254fa2b033bf3c00a9d10dad95aed383ad
MassLogger
dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced
MassLogger
e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0
MassLogger
+ 365 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200831-fehs159y6j/
Behaviour
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Deletes itself
Drops startup file
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 766076d0180d65715e4e48b4efd9ee0d45de7d9a3652357c44bdb9d11e6b60b4

MassLogger

Executable exe d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb

(this sample)

  
Dropped by
MD5 f1e8acc7f21ea5d111603cd63e9539ab
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53275/
  
Dropped by
SHA256 766076d0180d65715e4e48b4efd9ee0d45de7d9a3652357c44bdb9d11e6b60b4

Comments