MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6df04b1b109a5d525073529a3877c3df598f9fcb62278a82412fc7736ed1ba7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6df04b1b109a5d525073529a3877c3df598f9fcb62278a82412fc7736ed1ba7
SHA3-384 hash: d4d15faa0f8914e74d3ed9d661e4908e14a241c93c0ef02f556b989cc64597ea21775d90a6f08cef46912bb72c591b0e
SHA1 hash: dbe8051a4f25ee4716297a36295cafb4e46c951c
MD5 hash: 293669a0b90d7bc20d639c077517ef93
humanhash: glucose-hawaii-connecticut-ten
File name:Order inquiry skmt042.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:907'264 bytes
First seen:2020-08-05 08:26:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:FGL9cVe+pMLDE+rn0B22ZUMCV9SFoaXXphCYl2oszcjXX:i9c/w422Z6wCY458X
Threatray 420 similar samples on MalwareBazaar
TLSH EA15125C7690A86AF2AE1E3F4D305593DD72F49FDE26D18B2A311968013E28CEC71F61
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: imsantv22.netvigator.com
Sending IP: 210.87.247.10
From: Jennifer Yones <market002@biznetvigator.com>
Subject: QUOTE YOUR BEST ROCK BOTTOM PRICE ON FOB YOUR NEAREST PORT BASIS IN US$ AT YOUR EARLIEST.
Attachment: Order inquiry skmt042.zip (contains "Order inquiry skmt042.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39199/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43598321.19193.8912.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/410567
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257551 Sample: Order inquiry skmt042.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 92 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 Yara detected MassLogger RAT 2->37 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->39 41 6 other signatures 2->41 8 Order inquiry skmt042.exe 5 2->8         started        process3 file4 27 C:\Users\user\AppData\Roaming\lgzxpd.exe, PE32 8->27 dropped 29 C:\Users\user\...\lgzxpd.exe:Zone.Identifier, ASCII 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmp9351.tmp, XML 8->31 dropped 33 C:\Users\...\Order inquiry skmt042.exe.log, ASCII 8->33 dropped 45 Injects a PE file into a foreign processes 8->45 12 Order inquiry skmt042.exe 3 8->12         started        14 schtasks.exe 1 8->14         started        16 Order inquiry skmt042.exe 8->16         started        signatures5 process6 process7 18 cmd.exe 1 12->18         started        20 conhost.exe 14->20         started        process8 22 powershell.exe 17 18->22         started        25 conhost.exe 18->25         started        signatures9 43 Deletes itself after installation 22->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6df04b1b109a5d525073529a3877c3df598f9fcb62278a82412fc7736ed1ba7/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 04:04:24 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=63pqjmnrbgs5kjihguu2hb34hx2zr6p4wyrhrkbecl6honxndotq._file
Verdict:
malicious
Similar samples:
0bc730f8804a7ca3bb1ce3ef623dd0589d5813086d950b9173c8294293070a16
MassLogger
29285c1e0f58e12ace807098090275535b37d6faf0379372b4ae41299cca5c3f
MassLogger
383c5be68c83202fd20ce29fe47dc6982229ae6bc87349c44216d875554c1d17
MassLogger
4f7ce008febd9fe224c7a7cec7d8abf8c0db3611fd14d8aca135041d21d2b45c
MassLogger
5a08d0f514ac2efd07cc045c1b896cf7c6426dd0013ad523a14bbdbce2b25edd
MassLogger
97e4b41e30337b05fa008fbb69cbd5f16af2e61067637d1fad45894cfe4c683f
MassLogger
98f14edea3c84946787d020e97f6b161cae2ed419e458434413626b9893c6f62
MassLogger
9a39817abcaf9b2ad45fecd4aec867e6989ece31d2dd41410622af0fc6547444
MassLogger
d02c315a42a4a452a9e78011fbcce66f9f53bab788513d1b6f52e8fc70aa9f3c
MassLogger
ea1d4c5b29018a3134b0b0f1d6cb8055b39e94b5d44e3a6cb18d5cc6b0bfce4e
MassLogger
+ 410 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware evasion spyware stealer family:masslogger
Link:
https://tria.ge/reports/200805-r4gh6s46cx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
Modifies visibility of file extensions in Explorer
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6df04b1b109a5d525073529a3877c3df598f9fcb62278a82412fc7736ed1ba7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip a856e5350e746c93706bb1ab5ea9ecf205fa1ac10c4363a248cd8b9ef456e66c

MassLogger

Executable exe f6df04b1b109a5d525073529a3877c3df598f9fcb62278a82412fc7736ed1ba7

(this sample)

  
Dropped by
MD5 6ca3db45bf4a118df5ede9f6cf474733
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39199/
  
Dropped by
SHA256 a856e5350e746c93706bb1ab5ea9ecf205fa1ac10c4363a248cd8b9ef456e66c

Comments