MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ae98808b96b08f4de9c3c5cfdd54c2021c7fcd63b66965373c23a1376993831. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	0ae98808b96b08f4de9c3c5cfdd54c2021c7fcd63b66965373c23a1376993831
SHA3-384 hash:	04474a1bb7f14b94466c7a776a0b35a534949d592448ed6196b06f5e2b0e2f1878fd1c9d2bbf3c8068fa036ef654b3f1
SHA1 hash:	8341fa2b97065f7d686a1fefdaccf5b9ad26b8af
MD5 hash:	ac342ebf7c1a738caf7c05b3f29e0922
humanhash:	fourteen-iowa-glucose-low
File name:	xlArf4nClBvLTj0.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	821'760 bytes
First seen:	2020-08-13 05:47:33 UTC
Last seen:	2020-08-13 13:20:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:5fdIMWjF+j4VBFkGe+XmnaYqH7WGTR27y1EYps32vbfW43JH3e6WQQzmEBc:5UjIY5ewYUHTR22VO3gX3Fe6WzaEBc
Threatray	521 similar samples on MalwareBazaar
TLSH	9F0501B033A69952C3AD0D78112350806FB23A1BFF95D74E1E8961EE08B9FB57241F5B
Reporter	abuse_ch
Tags:	exe Hostwinds MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: hwsrv-760085.hostwindsdns.com
Sending IP: 104.168.148.163
From: Casey Shaw <iwalker@multipowerproducts.com>
Reply-To: iwalker@multipowerproducts.com
Subject: RE:RECIBO DE TRANSFERENCIA BANCARIA
Attachment: Bank Slip.zip (contains "xlArf4nClBvLTj0.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44805/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.405.5988.13335.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/425082

Signature

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ae98808b96b08f4de9c3c5cfdd54c2021c7fcd63b66965373c23a1376993831/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-13 00:52:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

5

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bluyqcfznmepjxu4hrop3vkmeaq4p7gwhntjmu3tyi5bg5uzhayq._file

Verdict:

unknown

Similar samples:

045cfe04d64a1c71873d0fb2dbd1a48471f9918b1649b87ef001010dfc2a4286

09fb066f4a5fbc57b4d592a8443151578605c8a573746c3989a79bd1fa28c3a2

76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4

89c1555df1aec68698da57ff4e65909c72081a3560d59e0ccdc8b150adcdf9f6

bc13ffa3b767641ff58d98c8df48167b55c45fb97335b4819c4af8a57af47ff1

c744751ad79f737ac78fe9c69afac4c7b8940951b2fe67d20175d27e77721371

c8014126255b80593651f5fe1e69e069147866498dbb78129f775d76a0fa8682

c8174141c60baa057aa9780fdb5fe1e4af59b9d3a9d5a1d8ab7d929b13d3882b

f98b35d218026beac9f13d886758bb0712fda3dc74ae7fbc5b29ce5fb63109ab

ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35

+ 511 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware stealer spyware family:masslogger

Link:

https://tria.ge/reports/200813-fntqjzh8ca/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ae98808b96b08f4de9c3c5cfdd54c2021c7fcd63b66965373c23a1376993831

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 51e1ccab6a0fa7d4ba112fc58daaec419030f140c4fe9d5afa1ab01abd3fbd82

exe 0ae98808b96b08f4de9c3c5cfdd54c2021c7fcd63b66965373c23a1376993831

(this sample)

Dropped by

MD5 b02e076be3851a3d75a408e0e3ff7228

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/44805/

Dropped by

SHA256 51e1ccab6a0fa7d4ba112fc58daaec419030f140c4fe9d5afa1ab01abd3fbd82

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample