MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043
SHA3-384 hash:	a4ca61b700dcf66ff929c8bd839205cd500545a6e9963807f632dce2957e379d662bdf094eb3500a753c204b2aa1d7c2
SHA1 hash:	89a9d6a4d974fe7cde6ec896c5dc19283b0f63f4
MD5 hash:	2ebff22a63913f818834de7c54a0e354
humanhash:	hotel-music-pizza-rugby
File name:	Order Inquiry with Design Samples.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	919'040 bytes
First seen:	2020-08-06 05:34:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:oV+y0Kj9mSTwtBmoQfe+YGFJpvKU27qwkeLDNh:oVnv9mSXNvpvezDNh
Threatray	706 similar samples on MalwareBazaar
TLSH	E315232D2B46751DC55CC3B46CDB7BF069F16D88F8025F28811A75BB2FAA2D0B4412AF
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: mailsnd3.chol.com
Sending IP: 203.252.1.124
From: 김진현 <www88@chol.com>
Subject: FW:RE:Re:?Alibaba_Inquiry_Notification?Kim_from_South_Korea_has_sent_you_an_inquiry
Attachment: Order Inquiry with Design Samples.zip (contains "Order Inquiry with Design Samples.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

66

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/40051/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Running batch commands

Creating a file

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/412103

Signature

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-08-06 02:44:07 UTC

AV detection:

22 of 48 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=embaax65prl5opbvbvkb7uacbmcr57756ave6pb6czy4vtvdabbq._file

Verdict:

unknown

Similar samples:

00c3032bacb17b0624f5f550e22169259a9f4c1212845cb202be466fae55aaf7

1bf67b967c8397bfab22e326bce6efa64c647206102d4753569ba1abb538d685

20ec6cdb323f2e2eea0bfb107e820a079a41a3fc6afdf8378de930d7aa7b4160

49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251

4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea

9bd0b49f2258798d9ee1a8a766bf3fff7527ca463d24f35b27081879cf937890

a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7

aa30ea6f5603484a2f71a0fa1429cef880ee018c6b3557ad09708dca055cbb22

cf9aa52cd8829760f779772b7b483ff039100b5d6311c85f969553b6ce66d58b

fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437

+ 696 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware agilenet spyware stealer family:masslogger

Link:

https://tria.ge/reports/200806-264breyj6x/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Looks up external IP address via web service

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 945de800ae672cc44cca74776ec9b3658aaa8dd14d6fef5643f6641a618a92e4

exe 2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043

(this sample)

Dropped by

MD5 571f3113c938be5a96aed8f2ff16427d

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/40051/

Dropped by

SHA256 945de800ae672cc44cca74776ec9b3658aaa8dd14d6fef5643f6641a618a92e4

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample