MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1872a9eaa84a2a54125c3d8e5196f998808f808942c69192340e731a58ff971f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1872a9eaa84a2a54125c3d8e5196f998808f808942c69192340e731a58ff971f
SHA3-384 hash: 78a416ead6be9c11aab0674c0bde65b221bf37591e89d3acca04d9bc30430d7e5c59617212700f097068a27cf049992c
SHA1 hash: 01ac8fb2a2810aa5eef6b113a6b8c70a7acb8ffc
MD5 hash: 9c2453b22e9e215094d90a25303ae8d2
humanhash: quebec-hawaii-maine-london
File name:Migliore consulenza globale sui pagamenti PI # CFL002 19A.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'341'440 bytes
First seen:2020-08-07 13:26:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:D/grpiAOLnD0seAqRx1ib2tzr3wmfprCPoDcWNQ63qS0ckDOjgK/AYLbqYIK6pDQ:0QAOERxb33hQGk0qIkDOfjbqiWOUTc
Threatray 7'186 similar samples on MalwareBazaar
TLSH EB55CF80F148EAADFC5A4F31987A9C3442237D3AACB9D20E365FB2255B773C21465E17
Reporter abuse_ch
Tags:exe geo ITA MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: allianz.it
Sending IP: 95.211.208.25
From: Cristina Sasso <cristina.sasso@allianz.it>
Subject: Migliore consulenza globale sui pagamenti // PI # CFL002 / 19A
Attachment: Migliore consulenza globale sui pagamenti PI CFL002 19A.gz (contains "Migliore consulenza globale sui pagamenti PI # CFL002 19A.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41654/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/415311
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 259910 Sample: Migliore consulenza globale... Startdate: 07/08/2020 Architecture: WINDOWS Score: 92 34 Sigma detected: Scheduled temp file as task from temp location 2->34 36 Yara detected MassLogger RAT 2->36 38 Yara detected AntiVM_3 2->38 40 6 other signatures 2->40 8 Migliore consulenza globale sui pagamenti  PI # CFL002  19A.exe 7 2->8         started        process3 file4 26 C:\Users\user\AppData\Roaming\eeHbKjHwF.exe, PE32 8->26 dropped 28 C:\Users\...\eeHbKjHwF.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmpAEC8.tmp, XML 8->30 dropped 32 Migliore consulenz...CFL002  19A.exe.log, ASCII 8->32 dropped 42 Injects a PE file into a foreign processes 8->42 12 Migliore consulenza globale sui pagamenti  PI # CFL002  19A.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        16 Migliore consulenza globale sui pagamenti  PI # CFL002  19A.exe 8->16         started        signatures5 process6 process7 18 cmd.exe 1 12->18         started        20 conhost.exe 14->20         started        process8 22 powershell.exe 19 18->22         started        24 conhost.exe 18->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1872a9eaa84a2a54125c3d8e5196f998808f808942c69192340e731a58ff971f/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-07 13:28:12 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbzkt2vijivfies4hwhfdfxztcai7aejildjderubzzruwh7s4pq._file
Verdict:
malicious
Similar samples:
2793ca2b4f702f2ddfcaeb0ccde6700da8b215b9894cf72adbece6a4d57a8e67
MassLogger
28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199
MassLogger
2a1b3187f7000dfb10dff758fe598e73e58d6864c5a4579e7c35acd88314ca20
MassLogger
2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce
MassLogger
59b3d10d21cabf7b65afd5c425a6c0be1778646a1e5e1411875e8c52e38410b8
MassLogger
9b8c523e9a551600cec0e653e4c8085dcf1b4a7e77559a903e64e7f1aa659223
MassLogger
a13424875703c2b22381b0f2db797498bca3ac5b677e2e30ae3441aeff6b9e0e
MassLogger
a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7
MassLogger
e5caa150b119335b8b2fe8c999f8e801c1e74b010ceb58b794804ea6b4b07c61
MassLogger
fa473a9f7280e22e757799c9d18a21bded2f5500a47063e926105db33e77b4f8
MassLogger
+ 7'176 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200807-lbt2pw3dea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/1872a9eaa84a2a54125c3d8e5196f998808f808942c69192340e731a58ff971f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip a5e16f52aecbd84b4897d739f23b0ab3adb32bc43e508b79a537df00549ca2df

MassLogger

Executable exe 1872a9eaa84a2a54125c3d8e5196f998808f808942c69192340e731a58ff971f

(this sample)

  
Dropped by
MD5 1b248bbd1b577441942c6443ffe7c82a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41654/
  
Dropped by
SHA256 a5e16f52aecbd84b4897d739f23b0ab3adb32bc43e508b79a537df00549ca2df

Comments