MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db
SHA3-384 hash:	f4ab9e9579e32201c044826c31b54030a80bac9da09fd9424f26b77798c82cb008ff2835e0f6cf35c433099e1408e9d2
SHA1 hash:	ecd3faede2a34fee58c8b84e297abf217e9b4b4c
MD5 hash:	43bf47ce9c3b94e284d4b1127ae23316
humanhash:	west-ohio-london-delta
File name:	RFQ.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	862'720 bytes
First seen:	2020-08-11 12:26:10 UTC
Last seen:	2020-08-11 13:19:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:bGtpqAs1yqoORh2n3RODAPKpg++8CjgDdBP94cdhiL/jUOgrpiATnS56DY0ssmeN:bSpq1AKeBNyG+LDdB9n8LjUDQA
Threatray	723 similar samples on MalwareBazaar
TLSH	1705AEAC325876DEC597CD36896C2C90AA217C275B1FC50BA01731AD9A3DB97CF106B3
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: server.linux108.papaki.gr
Sending IP: 185.138.43.36
From: Ian Walker <iwalker@multipowerproducts.com>
Reply-To: Ian Walker <iwalker@multipowerproducts.com>
Subject: RE:BANK TRANSFER SLIP
Attachment: BANK SLIP v.zip (contains "RFQ.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/43348/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.22787.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/418799

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Deletes itself after installation

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-11 12:28:07 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3mmeqpsck3oi6m3cwuxdi5bgb3xojj7hv5b4qetcaarx4wuiatnq._file

Verdict:

unknown

Similar samples:

1342cdcc9231fdd7637c5a78b07485e5f2fb706479e0441f0b53bd1bd8228697

3277c38c152ed39a94dbc50b60675ba3438631243837bf30ce65c996ceab524d

37eb096457c5f3b81945f57de1b46674cdd7ccf83714f0bc4c0d982ade2405bd

50b298120d93f328fa5949eeb470a41ac0e846b28df37d46cb16c0beaa1b128e

5d7470dd39f59feeb354918508f99d909e2e05a9bd41e4a180848f999cd00fb3

7601104485381f818f5b171b8be6630c0f6b4792e14695e6146c876ff852cb3c

7fd925382882b58adc1b5e4a24a96d7fdcf3089f9badc5f6190489ddc9cb238a

8645ba1b7632006a19223c7f307f618290c1a7c98fc6118d3b1dd9b2c46687f4

c8014126255b80593651f5fe1e69e069147866498dbb78129f775d76a0fa8682

ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35

+ 713 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200811-41xxzyt2f6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 6c5210755b655eb982c7d572de94e5ef9d685ec236e629ef03eb99bbcabfcdaf

exe db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db

(this sample)

Dropped by

MD5 e5591b0e2f20cae1b61a7fa108f2e4b5

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/43348/

Dropped by

SHA256 6c5210755b655eb982c7d572de94e5ef9d685ec236e629ef03eb99bbcabfcdaf

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample