MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c7ac0a31c8828ec11ad0c9dd80f8809fb1248f5c36b6b34d8c9974aa8ecaa06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	2c7ac0a31c8828ec11ad0c9dd80f8809fb1248f5c36b6b34d8c9974aa8ecaa06
SHA3-384 hash:	35197f9b174a1bfbd65968f562e7f6798be64761d385c3a72f1844f4c94d4e2056d1b47a38758fcea917ba0d31746026
SHA1 hash:	2f75dafd4572c02109d275268534f4935babbe4e
MD5 hash:	052f8ea1a01cb3a6b7df01bfd3868601
humanhash:	ink-lithium-oklahoma-ceiling
File name:	PO. 74823.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'242'624 bytes
First seen:	2020-08-18 06:30:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:oS1QbvgWK5WpLzkQgEuWjzikA1SNuD4cFwJEV6Q576QpVu6kxuCj9Rm:hQbvxaWuQgEfzi1DdFwGBdpUxuCjHm
Threatray	614 similar samples on MalwareBazaar
TLSH	1A45383A30C64C38C815A5B26078ADC2B7627A453FC48B2F65DB439CAE1395BFB3585D
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: server.domain.com
Sending IP: 89.38.225.219
From: Sophie Loynds <mwarowny@wolhbi.com>
Subject: PO. 74823
Attachment: PO. 74823.gz (contains "PO. 74823.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/47540/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Moving a recently created file

Deleting a recently created file

Setting a global event handler for the keyboard

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c7ac0a31c8828ec11ad0c9dd80f8809fb1248f5c36b6b34d8c9974aa8ecaa06/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-17 10:47:42 UTC

AV detection:

28 of 48 (58.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fr5mbiy4rauoyennbso5qd4ibh5reshvynvwwngyzgluvkhmvida._file

Verdict:

unknown

MassLogger

30bf20d0b592d380864b7ad863e8189d9375ff925d75131221bfdb33a3645199

MassLogger

4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984

MassLogger

66be42e48ac5cca62e07acb170e1965756f0556ac5ad9a3070c64c6e74a11fa7

MassLogger

6c77b454db79850455c97fece27e8b924c7b41ffcd43a7cc0941b26d2fb6454b

MassLogger

9295ce88660ed117b7cfff0886232a51dc6492bf6100738957bf93fabdb74bb8

MassLogger

9d3df770b6dcd5beb650a097a597bb70c49dde306517bbc731812bf18a806719

MassLogger

f47cae95fdb8b43629d894b6d2b595b06e93e84f4f0bb2b0837703b6d2bde158

MassLogger

f7505d1a7254a1a38c4570f0abb3fe3a462d3c34efca6372841ac37876d2af05

MassLogger

fe4f9a7b5da072d7af80c2d4d91e47888e0420e7c5ee8fd8c051d44283ac0c41

MassLogger

+ 604 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware agilenet stealer spyware family:masslogger

Link:

https://tria.ge/reports/200818-zqr4kdv7rx/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.