MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a
SHA3-384 hash: 2926fccc40a61b463d36a4a592500f3e0ee86af0386146e4a4237951b54ff75f5d753ad182673e89fc09f9a8d0c61965
SHA1 hash: 4968389dff39ec793557189977772490a652264d
MD5 hash: a35f10913241fbf50334b4e1bda3337b
humanhash: butter-mountain-princess-hotel
File name:New_Inquiry_080820.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'077'760 bytes
First seen:2020-08-08 08:30:47 UTC
Last seen:2020-08-08 10:09:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ftMaAAekyUeUNuyaUrpToQZLB75MEdSv7I/9qz5QA:XA7vUjuurNoQL75VdSzII
Threatray 761 similar samples on MalwareBazaar
TLSH 7535C0C0514CBAE6D5D72A705C2EBEB1052EBEF9232095083E0737679973F56229BC4E
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sg1.productsgood.com
Sending IP: 45.125.192.99
From: MOHAMMED QUTBI <support@haisokbr.go.th>
Subject: New Inquiry
Attachment: New_Inquiry_080820.r00 (contains "New_Inquiry_080820.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42132/
Detection(s):
SecuriteInfo.com.Fareit-FXHA35F10913241.13865.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/415808
Signature
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260159 Sample: New_Inquiry_080820.exe Startdate: 08/08/2020 Architecture: WINDOWS Score: 88 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 Yara detected MassLogger RAT 2->35 37 Machine Learning detection for sample 2->37 39 4 other signatures 2->39 8 New_Inquiry_080820.exe 7 2->8         started        process3 file4 25 C:\Users\user\AppData\Roaming\eOYCGE.exe, PE32 8->25 dropped 27 C:\Users\user\...\eOYCGE.exe:Zone.Identifier, ASCII 8->27 dropped 29 C:\Users\user\AppData\Local\...\tmp6F51.tmp, XML 8->29 dropped 31 C:\Users\user\...31ew_Inquiry_080820.exe.log, ASCII 8->31 dropped 43 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->43 45 Injects a PE file into a foreign processes 8->45 12 New_Inquiry_080820.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        signatures5 process6 process7 16 cmd.exe 1 12->16         started        18 conhost.exe 14->18         started        process8 20 powershell.exe 17 16->20         started        23 conhost.exe 16->23         started        signatures9 41 Deletes itself after installation 20->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-08 07:34:19 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzf3v3nxl3fr3osc2jrpxnwakhjq3xn7puim5lcaq2bwwz7r3u5a._file
Verdict:
unknown
Similar samples:
038e01d9ad87f69fbf3caf7bde273bb1e6ba2c5445097ff9e0e59c077268a43a
MassLogger
05ca2e91487fabbc48268832f39819dd0bc562b8cd4c3561585f45eb3ed6e683
MassLogger
35b2f307a378cd2165a6aaa088335cad6a3f2e5569f0ed9094f1772de76458f1
MassLogger
36b3044a2e615b0f530f834734bde33e860ca706b0b80e1b73d9c83be186ade2
MassLogger
81710165643580b427259c7069eef6bcfba0ed113f1707edcdf166521cb87d28
MassLogger
9047151fe524a34dffeacd46eba66b4b0a87beb7f3e513ba8e5c6ca367ccc505
MassLogger
a2e0a67287a2ee1bc03f7428f390431ef59f2063e03f2cb75a5ddeb7e5211044
MassLogger
a6d44377671c37e4ef84efae15b17efbcdd03a8b5af2704e74f75126f333196f
MassLogger
daccd93e099119d1c54b6d855d0a9db24e1ebd8eea974badb1ff6d8f0e01865f
MassLogger
e710739997bbb4c0aa3dbbc48746cfd22a223b1d136fcdef77817170ed3f3850
MassLogger
+ 751 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200808-vslyt9ebvx/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 33705d10fd5b100da5081eba5b1e831bcbdb98800c9180a2618d2bbe9d19c037

MassLogger

Executable exe 3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a

(this sample)

  
Dropped by
MD5 f92f5026ef4f60a498542783563092c7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42132/
  
Dropped by
SHA256 33705d10fd5b100da5081eba5b1e831bcbdb98800c9180a2618d2bbe9d19c037

Comments