MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23
SHA3-384 hash: c93560d51dd9569e3f1a938944acc34f3004308693d24a623748df775b00b9397938147c11c934fa7f44c02467ee1e27
SHA1 hash: 81443874dc7ac6cb16786f2c8779d823e13986dc
MD5 hash: 8c2ae0a1d14cda74ddc4309b46fee9a3
humanhash: muppet-december-romeo-delaware
File name:DHL Shipping Documents.exe
Download: download sample
Signature MassLogger
File size:2'114'560 bytes
First seen:2020-06-16 12:59:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7
ssdeep 49152:gh+ZkldoPK8YaphcZC/cSsKtOz2QF1n8m7ZfBX:B2cPK81XcnKtMBnNNB
TLSH 0EA5E00273929036FFAF92735B6AB20556BCA9250123853F13981DB9BD701B12E7D26F
Reporter @abuse_ch
Tags:DHL exe MassLogger


Twitter
@abuse_ch
Malspam distributing MassLogger:

HELO: slot0.signform-pl.me
Sending IP: 45.95.169.216
From: DHL EXPRESS<szr.pavlinji@neobee.net>
Reply-To: <info@dormak.com.tr>
Subject: Re: RE: URGENT::::DHL tracking no 4680921932
Attachment: DHL Shipping Documents.zip (contains "DHL Shipping Documents.exe")

MassLogger SMTP exfil server:
mail.elkat.com.my:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
29
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Occamy
Status:
Malicious
First seen:
2020-06-16 13:01:09 UTC
AV detection:
20 of 31 (64.52%)
Threat level
  5/5
Result
Malware family:
masslogger
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Looks up external IP address via web service
MassLogger log file
MassLogger

Yara Signatures


Rule name:masslogger_gcch
Author:govcert_ch

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments