MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3
SHA3-384 hash:	96bfadb15aefe0a4d0ebcabb0127c2dba0a1708efb32cac82678ca93f82e2184f09eaf5aa494c4de20ced0e484b82635
SHA1 hash:	b983296cee73f1cbb8280ba019f4970d2bf23e02
MD5 hash:	1120a77cf247c7280324fbe983c116b9
humanhash:	fillet-queen-sad-pip
File name:	QUOTE PRICES IN USD.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	884'736 bytes
First seen:	2020-08-11 11:51:55 UTC
Last seen:	2020-08-11 13:19:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:QsUh2Mj4qYIgCmqOvpoVqzpImsohuL/GKs:QXZTgChO+qzpIBxj
Threatray	724 similar samples on MalwareBazaar
TLSH	6F1523DB26D4A342DFDF5F3A401A32CA4B277AC2F440EA8B09C99096514BEFC9E5C45D
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: mailsnd1.chol.com
Sending IP: 203.252.1.122
From: dwmetal <dwmetal@chol.com>
Subject: RE:RE
Attachment: QUOTE PRICES IN USD.zip (contains "QUOTE PRICES IN USD.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

80

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Artemis1120A77CF247.24631.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Running batch commands

Creating a file

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/418685

Signature

Binary contains a suspicious time stamp

Deletes itself after installation

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3/

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-11 11:53:12 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=al6lntouwyol672aisdyji3nabt6mggkze225p3p232iflyhnorq._file

Verdict:

malicious

Similar samples:

0b0537b9f976c4a49f1105bc03d252c0cac7a99b9abdb1a020d2966b6a0b1285

114ba0c81a5ac12f589504d2693d6cb0a845e119bf305fc9eb7b8e756b385f91

1c989f633edcaea6e97a4a96f8a1f9ed19d54ed109cfaf1053a67dc48d28fd52

262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541

2aa941b7340367ad780683ac45b75f8e63b4df7913b4ca6f95e794fd75b36b03

7cfa62ab7a592f04b4268ad35e2a90739666f9d5e91eaa5808dd8ba11239f43d

9dfba413d306830589105d96b90b5ea870b1975bd371350635ea1c2b591bcbd8

ac3d6770654e9274a348c63c14b7b057ab38ff81a2377aec01a987ddb9e6ed82

e5caa150b119335b8b2fe8c999f8e801c1e74b010ceb58b794804ea6b4b07c61

ef30ffc2d3ba3ec27cfaee6dd4e86f0fa4e2c8799e341affa924e0763d51ed1a

+ 714 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware agilenet spyware stealer family:masslogger

Link:

https://tria.ge/reports/200811-f9c7kgzwm2/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip f61786d9a8bde45176d12a9d16a99c7d8e62dddd5138faa0ec38d6810bbb3269

exe 02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3

(this sample)

Dropped by

MD5 c82f5a04ae02b1768d5e6278856bbb62

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/43318/

Dropped by

SHA256 f61786d9a8bde45176d12a9d16a99c7d8e62dddd5138faa0ec38d6810bbb3269

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample