MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c85e967c0c5b4a332aabcec26d9df72c5a3e959f317ebe08202671e3ec254ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	1c85e967c0c5b4a332aabcec26d9df72c5a3e959f317ebe08202671e3ec254ec
SHA3-384 hash:	83974c918c2272369b62d3d18f725bf9a8dd3d0544b58e9b4c20ef27a8bba12c3d4202834bed975f6288bf1e94297725
SHA1 hash:	29044ec25908e25e2a4ce9371a0184032fa3657c
MD5 hash:	e9d932bed85612d00e3190447999a0fd
humanhash:	angel-nevada-echo-rugby
File name:	CDF CETI-4501067162.PDF.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'794'048 bytes
First seen:	2020-08-05 07:59:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:qtlbHV71kzgTctpwKpwZp0TCVAZaUN+y6PybAPYNo9x:qtlbpegTctpRp9CVAT+y6PybAP
Threatray	25 similar samples on MalwareBazaar
TLSH	5385E1192504CA53E56C3B30A4362F5097E1AE6C6A16D74EFC19726AFBB1FCC4D033A9
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: slot0.gasteev.com
Sending IP: 104.168.220.131
From: info@eleasunn.com
Subject: New Order #3744
Attachment: CDF CETI-4501067162.PDF.gz (contains "CDF CETI-4501067162.PDF.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

65

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39144/

Detection(s):

SecuriteInfo.com.Generic.mg.e9d932bed85612d0.46.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/410459

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM_3

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c85e967c0c5b4a332aabcec26d9df72c5a3e959f317ebe08202671e3ec254ec/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-05 08:01:56 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dsc6sz6ayw2kgmvkxtwcnwo7olc2h2kz6ml6xyecajtr4pwcktwa._file

Verdict:

unknown

Similar samples:

04465041b9f3a9907c9c92d39ae2d375a464047601c68238cc56071a5e9f58fe

38eb441454dd6b9459981660281d748fc8d5052a07b15597d317a3fec3b72400

5568021e42a81a2755fd6d968efa50b13f99a9997d8973097231079de84832ad

760dd5e8864e9c94296e285f17ce5b67c9c36d462cd301fa5a72e20b6c97df33

78bb05f8287c0a41174d810b2e9954b3010b523777ba521ba8336219501bded4

b1dfcf175d2aeff612c4aada38df796c1f4687caacd0b26e02f66485d5a32899

b2e9a56a20c71306ae8965955dfa780b868c5766f3ebb2f8e4c816a305711cdd

b91d1df833c959a0c941ea92dae9d30f23cb4825ae33594da4eafc758a8de10f

d44ec72ea7ed650ad5ae4102ef8b60397673335a4471f2537cf6f5933cc8bf49

d826e50de7b11772bc48d32d0f75b72a7975e469cfe9583a51edbd9bbaa58387

+ 15 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200805-a23khzdh42/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/1c85e967c0c5b4a332aabcec26d9df72c5a3e959f317ebe08202671e3ec254ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 020bdfac4afa4c9183053109c34c1e4939ef8aab7a0165857f45b1c727d93704

exe 1c85e967c0c5b4a332aabcec26d9df72c5a3e959f317ebe08202671e3ec254ec

(this sample)

Dropped by

MD5 3ec5b6a1b65bc54fa58aa06f4910c226

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 020bdfac4afa4c9183053109c34c1e4939ef8aab7a0165857f45b1c727d93704

Cape

Cape

https://www.capesandbox.com/analysis/39144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample