MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 114ba0c81a5ac12f589504d2693d6cb0a845e119bf305fc9eb7b8e756b385f91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: 114ba0c81a5ac12f589504d2693d6cb0a845e119bf305fc9eb7b8e756b385f91
SHA3-384 hash: f40853b4b69684780f0d13b65fa5bea7889a9e557c88c8b5a31530b27533214049497e64e31bd8025042eb8b9c8390b9
SHA1 hash: c0959d7452226d7287bbcf6088ad2deb16eb7459
MD5 hash: ac000598bac3110f6f3ddba519435ad8
humanhash: nineteen-moon-aspen-winner
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature MassLogger
File size:1'613'312 bytes
First seen:2020-07-31 10:16:56 UTC
Last seen:2020-07-31 11:08:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 24576:ZHLTpMI6zKmxRK7nYoZYoEx1AdCGmSc3B7prS8:xXYKmC7zeoE4dNm73B75S8
TLSH 4C753A3AB1538444C95C9A35C0A8DCE077A67E4B3792CB1E70DA170A7E03B5BBB0B55B
Reporter @abuse_ch
Tags:exe geo MassLogger TUR ZiraatBank


Twitter
@abuse_ch
MassLogger SMTP exfil server:
mail.debi.com.tr:587

Intelligence


File Origin
# of uploads :
2
# of downloads :
31
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Result
Threat name:
MassLogger RAT
Detection:
malicious
Classification:
troj.evad
Score:
63 / 100
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Creates executable files without a name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255288 Sample: Ziraat Bankasi Swift Mesaji.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 63 40 Yara detected MassLogger RAT 2->40 42 .NET source code contains very large array initializations 2->42 44 May check the online IP address of the machine 2->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->46 7 Ziraat Bankasi Swift Mesaji.exe 7 2->7         started        11 pcalua.exe 1 1 2->11         started        13 pcalua.exe 1 2->13         started        process3 file4 28 C:\Users\user\Desktop\.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->30 dropped 32 C:\Users\user\Desktop\.exe:Zone.Identifier, ASCII 7->32 dropped 52 Creates executable files without a name 7->52 15 .exe 3 7->15         started        18 cmd.exe 1 7->18         started        signatures5 process6 signatures7 54 Writes to foreign memory regions 15->54 56 Allocates memory in foreign processes 15->56 58 Injects a PE file into a foreign processes 15->58 20 AddInProcess32.exe 15 2 15->20         started        24 reg.exe 1 1 18->24         started        26 conhost.exe 18->26         started        process8 dnsIp9 34 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.191.113, 49731, 80 AMAZON-AESUS United States 20->34 36 nagano-19599.herokussl.com 20->36 38 api.ipify.org 20->38 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->48 50 Creates an autostart registry key pointing to binary in C:\Windows 24->50 signatures10
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2020-07-31 10:18:10 UTC
AV detection:
17 of 31 (54.84%)
Threat level
  5/5
Result
Malware family:
masslogger
Score:
  10/10
Tags:
ransomware persistence spyware stealer family:masslogger
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
MassLogger log file
MassLogger
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:masslogger_gcch
Author:govcert_ch
Rule name:win_masslogger_w0
Author:govcert_ch

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments