MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23eb05b6df962a953c50eabb579e6a0a9358ca3f1a6319b9a98bbdb0be4ed611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23eb05b6df962a953c50eabb579e6a0a9358ca3f1a6319b9a98bbdb0be4ed611
SHA3-384 hash: a3891cf591b0704f8743ac3d5549978074d654f59df6f0e2237264683473b3badeb2708a4197d627d6e999eb618754d4
SHA1 hash: 9be9a64ba0ac8fbfd372a32a49d57ffaaa4225b0
MD5 hash: 9dafafa457d2d4d58a05bae27c50eabc
humanhash: mississippi-mountain-uniform-blue
File name:PETRONAS MALAYSIA INVITATION TO BID FOR Provision of Engineering, Procurement, Construction, Installation and Commissioning.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:891'392 bytes
First seen:2020-07-28 15:17:59 UTC
Last seen:2020-07-28 15:49:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:V8phMdavCdMf8487RAnzTqvbZ6uHPCrUsET:kvvSQqY1e
Threatray 695 similar samples on MalwareBazaar
TLSH 1B15231034C49336C27E13FA468852A513F3B69A621DD70DAF9C50FD9C6BF099362EA7
Reporter James_inthe_box
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Inject3.45379.11887.9287.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/400657
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252661 Sample: ssioning.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 96 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected MassLogger RAT 2->29 31 4 other signatures 2->31 8 ssioning.exe 3 2->8         started        process3 file4 21 C:\Users\user\AppData\...\ssioning.exe.log, ASCII 8->21 dropped 33 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->33 35 Injects a PE file into a foreign processes 8->35 12 ssioning.exe 2 8->12         started        signatures5 process6 process7 14 cmd.exe 1 12->14         started        process8 16 powershell.exe 17 14->16         started        19 conhost.exe 14->19         started        signatures9 23 Deletes itself after installation 16->23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23eb05b6df962a953c50eabb579e6a0a9358ca3f1a6319b9a98bbdb0be4ed611/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 12:39:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epvqlnw7syvjkpcq5k5vphtkbkjvrsr7djrrtonjro63bpso2yiq._file
Verdict:
suspicious
Similar samples:
271ae8f2104165d934488b9888b1fdcf6d6ec9a2263a603270ac9098f5d27323
MassLogger
3ba509359db69542f368af1d41dd8fa1c116e3e31ded1879872bb34a41f9cbbb
MassLogger
3fd662d7caf82ecc8b61b4fa261bc51510851aa36099a85f66c2689c507e11d7
MassLogger
75ec88e7dccc7e244413b855f91a0105d3349f318c6caa98eb0ba3cb31055647
MassLogger
785b500d98d194c034b9c371eee464210f08aae5d83829c6262b713c3bb57a6e
MassLogger
961ca60cc81e38eacdf3197954394b03430b09a5613db567adfab92a3a718d0b
MassLogger
a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7
MassLogger
a654772e801683ef8639985af05c8845d16ab48df5c6a8e65d014251692d73d2
MassLogger
c9787a5aeefa1606bd166b54177d9f685dd01f03632ff9f3952909193c657028
MassLogger
fc0bbe3c37a9d40c7cefaa4b5ec668b1b9513815dfbb73eaf1d3f4d8a56e0edc
MassLogger
+ 685 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200728-h7lm3b84as/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23eb05b6df962a953c50eabb579e6a0a9358ca3f1a6319b9a98bbdb0be4ed611

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/33853/

Comments