MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25
SHA3-384 hash: 4443b351a9d249b66e1354e640210664e4d1d509908d65acaf5c8827be2e46864d2e1a503c0daadac674c6b4b2e99486
SHA1 hash: 0ec7dd51cb4d3cf0b6c3449915ed6429e6845b70
MD5 hash: e700ad3eead371c482437a4d40779365
humanhash: sixteen-tango-uniform-coffee
File name:Change Of Bank Account.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'150'976 bytes
First seen:2020-09-25 13:20:53 UTC
Last seen:2020-09-25 13:48:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 971465ba55aa2969c976f7f768bcd887 (2 x AgentTesla, 1 x Matiex, 1 x Pony)
ssdeep 24576:ZRgV9lX4ePztJzKe4QTnExJrP6vK+smrS2QCr6JIHCowE:ZR6bbJR7OyCWG26uie
Threatray 242 similar samples on MalwareBazaar
TLSH 5035BF32F2A14837C1636938DC0B57B4A927BE503A24AF466BF5DC4CBF397907825297
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: ptmatsuo.co.id
Sending IP: 202.74.72.84
From: M. Morhaf Koujan<dharmendra@dnextechnology.com>
Reply-To: <anelem@suprahealthcare.net>
Subject: RE: RFQ
Attachment: Change Of Bank Account.rar (contains "Change Of Bank Account.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.6281.26223.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.24003.12228.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475181
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290048 Sample: Change Of Bank Account.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 14 other signatures 2->86 11 Change Of Bank Account.exe 2->11         started        14 wscript.exe 1 2->14         started        process3 signatures4 108 Writes to foreign memory regions 11->108 110 Allocates memory in foreign processes 11->110 112 Maps a DLL or memory area into another process 11->112 114 Queues an APC in another process (thread injection) 11->114 16 Change Of Bank Account.exe 15 7 11->16         started        20 notepad.exe 1 11->20         started        23 notepad.exe 11->23 injected 25 Change Of Bank Account.exe 14->25         started        process5 dnsIp6 68 elb097307-934924932.us-east-1.elb.amazonaws.com 184.73.247.141, 49703, 80 AMAZON-AESUS United States 16->68 70 192.168.2.1 unknown unknown 16->70 72 2 other IPs or domains 16->72 62 C:\Users\user\...\Mekzi Mass Logger.exe, PE32 16->62 dropped 27 cmd.exe 16->27         started        29 cmd.exe 16->29         started        31 powershell.exe 23 16->31         started        88 Drops VBS files to the startup folder 20->88 90 Delayed program exit found 20->90 92 Writes to foreign memory regions 25->92 94 Allocates memory in foreign processes 25->94 96 Maps a DLL or memory area into another process 25->96 33 Change Of Bank Account.exe 3 25->33         started        36 notepad.exe 1 25->36         started        file7 signatures8 process9 file10 38 Mekzi Mass Logger.exe 27->38         started        41 conhost.exe 27->41         started        43 timeout.exe 27->43         started        45 conhost.exe 29->45         started        47 schtasks.exe 29->47         started        49 conhost.exe 31->49         started        64 C:\Users\...\Change Of Bank Account.exe.log, ASCII 33->64 dropped process11 signatures12 100 Writes to foreign memory regions 38->100 102 Allocates memory in foreign processes 38->102 104 Maps a DLL or memory area into another process 38->104 106 Sample uses process hollowing technique 38->106 51 Mekzi Mass Logger.exe 38->51         started        55 notepad.exe 38->55         started        process13 dnsIp14 74 54.204.14.42, 49708, 80 AMAZON-AESUS United States 51->74 76 nagano-19599.herokussl.com 51->76 78 2 other IPs or domains 51->78 98 Tries to steal Mail credentials (via file access) 51->98 58 powershell.exe 51->58         started        66 C:\Users\user\...\Change Of Bank Account.vbs, ASCII 55->66 dropped file15 signatures16 process17 process18 60 conhost.exe 58->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 11:05:56 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7shvyy22xzktjazwqmkbvzluodajujdowkiisxhhjdi35xsalqsq._file
Verdict:
suspicious
Similar samples:
3a61c2e77a0e22e3d7958ef355b88e21b73986ab5e0f2e6dedf7e3d77691e0d6
MassLogger
7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5
MassLogger
9ce382b1991be3ae8fa744c4abf5d450ee9d376da295dfee8ca565551e75a9b0
MassLogger
9f0866780aa84107697212f1b3578777c450861c02a6e01f5741de28c858900c
MassLogger
b515db56b7c63191b19befe748f7af7f00d08623029e8856c86fc46362fbed9f
MassLogger
d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb
MassLogger
dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced
MassLogger
e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0
MassLogger
ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d
MassLogger
f784d412a56ccd414525c22e6b2e7c9482040e89be20fdb1f2e4db0016812ea7
MassLogger
+ 232 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx spyware
Link:
https://tria.ge/reports/200925-5cjk6kz2yn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25
MD5 hash:
e700ad3eead371c482437a4d40779365
SHA1 hash:
0ec7dd51cb4d3cf0b6c3449915ed6429e6845b70
Link:
https://www.unpac.me/results/5126d2c0-dfeb-4ed7-8d90-dd19a4e7353e/
SH256 hash:
3cfa68a36c5167776340996a6a398d5133b3e785f950d5fa401a870365227b93
MD5 hash:
3e01859979a525b196522c98790a79f1
SHA1 hash:
f9b51ebd0de7faf4f3684500caf044b71b89a1f2
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/5126d2c0-dfeb-4ed7-8d90-dd19a4e7353e/
SH256 hash:
52275d87b625088b2346c41e2659d2590b27c522d054834b18248a4009df4677
MD5 hash:
2d06038a79ef18a3040884a85f3b0485
SHA1 hash:
63fa10471db571a9ef8d55c64cf2c3bbfc1f53ee
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/5126d2c0-dfeb-4ed7-8d90-dd19a4e7353e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar d69e779d7909f77aa9d80c5512e05807f5afb6335ea0855bc733cd34cece541d

MassLogger

Executable exe fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25

(this sample)

  
Dropped by
MD5 10fc41a99c3b052f1b3672e77217e01d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/65834/
  
Dropped by
SHA256 d69e779d7909f77aa9d80c5512e05807f5afb6335ea0855bc733cd34cece541d

Comments