MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7d5f4ed2e66690a6df80a325edf4e6f1d20a2a650b989889d65d934d0ae5c1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7d5f4ed2e66690a6df80a325edf4e6f1d20a2a650b989889d65d934d0ae5c1a
SHA3-384 hash: 5caa497282705c4b6458dd643abcde0a026ff60478b24d89298505e1cfc21e3976c6204e1f341ce5d63710666da10a5c
SHA1 hash: c9d1a60e9fe9ac23d6836fd3303ba3bd5b4f7088
MD5 hash: 915e335e7be7618c04048cb172ff15cb
humanhash: ack-august-speaker-crazy
File name:ORDER-CONFIRMATION.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:739'952 bytes
First seen:2020-10-16 13:03:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Rr4OYg8jp9LwcAyPYVXBAUX0so9jl2WHcLmz493IT7nvi92eoE+ZvySD6k3JrVK1:Gnjp9hRJ+xoZMWHcL0493IPnq0pa
Threatray 239 similar samples on MalwareBazaar
TLSH DCF49EBD6A44AC6DEF9E5DF3C4B01421852C77973D86F10294C379D81C3E2927ABA0AD
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: out.exch025.serverdata.net
Sending IP: 64.78.32.136
From: Dispatch at Copp Trucking <Dispatch@copptrucking.com>
Subject: ORDER CONFIRMATION
Attachment: ORDER-CONFIRMATION.bz (contains "ORDER-CONFIRMATION.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493680
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299298 Sample: ORDER-CONFIRMATION.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected MassLogger RAT 2->42 44 8 other signatures 2->44 7 ORDER-CONFIRMATION.exe 16 5 2->7         started        12 limslimspeed.exe 2 2->12         started        14 limslimspeed.exe 14 2 2->14         started        process3 dnsIp4 24 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.126.66, 49741, 80 AMAZON-AESUS United States 7->24 26 nagano-19599.herokussl.com 7->26 28 api.ipify.org 7->28 20 C:\Users\user\AppData\...\limslimspeed.exe, PE32 7->20 dropped 22 C:\Users\...\limslimspeed.exe:Zone.Identifier, ASCII 7->22 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->46 48 Tries to steal Mail credentials (via file access) 7->48 50 Adds a directory exclusion to Windows Defender 7->50 16 powershell.exe 25 7->16         started        30 50.19.252.36, 49746, 80 AMAZON-AESUS United States 12->30 34 2 other IPs or domains 12->34 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 32 54.225.66.103, 49745, 80 AMAZON-AESUS United States 14->32 36 2 other IPs or domains 14->36 file5 signatures6 process7 process8 18 conhost.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7d5f4ed2e66690a6df80a325edf4e6f1d20a2a650b989889d65d934d0ae5c1a/
Threat name:
ByteCode-MSIL.Trojan.Masson
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 04:12:56 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47k7j3jomzuqu3pybizf5x2on4osbivgkc4ytce5mxmtjufolqna._file
Verdict:
unknown
Similar samples:
071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987
MassLogger
344e623ca2c22240a52b952e83939f053675259b17f207cdd71453acab5d0060
MassLogger
5556fd4e05f530387ffc197111e21e50fb37387e824f738332e95ae834cc673c
MassLogger
61a57f66dd47818dbde83c6b2eae0bfe5ecac215605e3fac4c4a2a30c270cc04
MassLogger
6c66ed3a40b1964b2d4f5d86214ba8468e0313ae8f340bb91a8059f94318e47c
MassLogger
7ce357f7c3475e91f3dd3880f4fbbaa6d50f7101044b8b24e2ca0ea70981286c
MassLogger
8044dc7f383547fb4d9acfc1bfd1adfe3e6def133317a506b991e5b62a29bc63
MassLogger
c905064bb651ad48f6a67415f4b982254e6f816ff03b1f19d3da32da19a8d788
MassLogger
e8da65e395c309509563df99675f2ddaa5339b55fd944867a479ffc5d3639946
MassLogger
ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54
MassLogger
+ 229 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
persistence spyware stealer family:masslogger
Link:
https://tria.ge/reports/201016-g45mbq8766/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
f41229f864fab2c2223b9f1c59f9f0bf4725d41bb28b2e57320480ea62a70007
MD5 hash:
975b70da100e3fa0ed8ff4ea1ab646b8
SHA1 hash:
1d82148971fa66145360cb27ed7158bd6f4498d9
Link:
https://www.unpac.me/results/39c80f13-1d6e-4752-a160-32e05bc13a6d/
SH256 hash:
7dd6ebba266751055e5a814f653e67a989280bc674799637059208dc2ac6ea34
MD5 hash:
662f5ae3c97d6af8a79b5c66467af1cb
SHA1 hash:
856ce4655b55d40889c7ac0f556cd096c2fe8efe
Link:
https://www.unpac.me/results/39c80f13-1d6e-4752-a160-32e05bc13a6d/
SH256 hash:
1a85da80185dcff532bdca223c9728022278622e8fa50ea6405bc783893dcf6f
MD5 hash:
e7279048578c190c7696e4425e69e991
SHA1 hash:
c44a0c3731e41be24b7ebda76c3079fe97ec6968
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/39c80f13-1d6e-4752-a160-32e05bc13a6d/
SH256 hash:
e7d5f4ed2e66690a6df80a325edf4e6f1d20a2a650b989889d65d934d0ae5c1a
MD5 hash:
915e335e7be7618c04048cb172ff15cb
SHA1 hash:
c9d1a60e9fe9ac23d6836fd3303ba3bd5b4f7088
Link:
https://www.unpac.me/results/39c80f13-1d6e-4752-a160-32e05bc13a6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tnega
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7d5f4ed2e66690a6df80a325edf4e6f1d20a2a650b989889d65d934d0ae5c1a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar e6ebba3e4d46d85ffdedd77fd4eb2337c970c04d41adb428ef510ad4803f1a1b

MassLogger

Executable exe e7d5f4ed2e66690a6df80a325edf4e6f1d20a2a650b989889d65d934d0ae5c1a

(this sample)

  
Dropped by
MD5 100a030a78dcdb1b61cce5d26609c065
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72036/
  
Dropped by
SHA256 e6ebba3e4d46d85ffdedd77fd4eb2337c970c04d41adb428ef510ad4803f1a1b

Comments