MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437
SHA3-384 hash:	879655a22f73ad029599766f28b869f61850c5808ec4032894aa8807aa0569480838af30d9e6876b3f7854c4ebd7b585
SHA1 hash:	30cfb117dc22819ce08458b85b657114a9befbec
MD5 hash:	7e9a447fcbc24b69bb13ff25d5528635
humanhash:	east-quiet-east-papa
File name:	Drawing.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	995'840 bytes
First seen:	2020-08-11 14:12:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Syq0Pc9hxLyN/IUcoRqD47cyyfO74xYH15J1yUkolyp+uRgB:SyE9hxLQ/IUcfD47Fb74K7dJlypJ
Threatray	711 similar samples on MalwareBazaar
TLSH	EF257D3EB4828478C839A6759478AEC1B6617BCB3B958A1F70D7D30C9E1365B736204F
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: mailf8-br114.dialhost.com.br
Sending IP: 138.118.172.8
From: richard <joel@martinseoliveiraadvogados.com.br>
Subject: PO2846619
Attachment: Drawing.gz (contains "Drawing.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/43501/

Detection(s):

SecuriteInfo.com.Generic.HEUR.QVM03.0.2AB0.Malware.Gen.23765.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/419253

Signature

Deletes itself after installation

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437/

Threat name:

ByteCode-MSIL.Trojan.NetWired

Status:

Malicious

First seen:

2020-08-11 02:06:24 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7sovbtgq2crgp4p2cabwa7videy2tqpyk54yyoyqv6nvichqcq3q._file

Verdict:

unknown

Similar samples:

044c48fe42178958d8f55e5404e056ff0f1071d865deda9cc42518ab2c87fda7

065011f5098f869c79ff098a104765fa08050cfef16bac98b0944108de1ebee4

21cea3a243809c8cc06412ffd647e4896b35a246cf8c365484e0419477d94b37

2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043

2793ca2b4f702f2ddfcaeb0ccde6700da8b215b9894cf72adbece6a4d57a8e67

2a1b3187f7000dfb10dff758fe598e73e58d6864c5a4579e7c35acd88314ca20

2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce

a990373e6225384bd1bab3441dc0cb881f1e03f51f83f7923ca6c9ff228bee5c

aa30ea6f5603484a2f71a0fa1429cef880ee018c6b3557ad09708dca055cbb22

f1ce8a3c72d7e45300b38de923c0ad45c466ef17a44bec4aad85a4672690eb22

+ 701 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200811-sc1g7nybks/

Behaviour

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 03a2e324ed80e1b205519b0d734e3f90ba7455dbca17d979e28198d675de8c3d

exe fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437

(this sample)

Dropped by

MD5 209ccf1134483ab9a9aa1539bb21343b

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 03a2e324ed80e1b205519b0d734e3f90ba7455dbca17d979e28198d675de8c3d

Cape

Cape

https://www.capesandbox.com/analysis/43501/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample