MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4882ceb8e3f4b34b1446518b39b4d878f59c3ef27124e38aefd67faa9200e127. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4882ceb8e3f4b34b1446518b39b4d878f59c3ef27124e38aefd67faa9200e127
SHA3-384 hash: 61c077ad2fc565d72d556142605cc2266fe50f99661ef1faf500cd33897d9e11e8325f8b3a5e0de9934c19707df73254
SHA1 hash: 86e4fedbad4678edd2e999764c6d487858793f2e
MD5 hash: 9a4eec30210edbe451087ea5947180bc
humanhash: georgia-orange-network-red
File name:369273 gz.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'576'448 bytes
First seen:2020-08-03 12:42:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:eHLT0Zjzjy2y3bAD1A2GRY5IcjoKpnisA3:IXY03MxA2G+IIoKpniP3
Threatray 697 similar samples on MalwareBazaar
TLSH 1075393A39C39428C92A073A84B85DC17766764B3B97CF0F319703495E03BAFBB4655A
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Yves Concil <yves.concil@kimco.be>
Subject: Purchase Order369273
Attachment: PO369273gz.zip (contains "369273 gz.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Fareit-FVT9A4EEC30210E.24987.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/407871
Signature
.NET source code contains very large array initializations
Deletes itself after installation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256167 Sample: 369273 gz.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 64 19 Yara detected MassLogger RAT 2->19 21 .NET source code contains very large array initializations 2->21 23 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->23 25 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->25 8 369273 gz.exe 3 2->8         started        process3 process4 10 369273 gz.exe 2 8->10         started        process5 12 cmd.exe 1 10->12         started        process6 14 powershell.exe 17 12->14         started        17 conhost.exe 12->17         started        signatures7 27 Deletes itself after installation 14->27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4882ceb8e3f4b34b1446518b39b4d878f59c3ef27124e38aefd67faa9200e127/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 12:44:08 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcbm5ohd6szuwfcgkgfttngypd2zypxsoesohcxp2z72veqa4etq._file
Verdict:
suspicious
Similar samples:
0a3f320d6e46c364aae4b55f4853d8aff3d6a9d6117cb176b957c298e9184f29
MassLogger
12196207ffedfa2675b71f8c086df39c8ae73eb0fb2909674044ec3a45772d6b
MassLogger
2e5c6ecfef94f9922f152344b96041b85bf2dc01136e921e2d8c644d903b708d
MassLogger
3f97dfbae448b3eb28d6f08f666029037d890dc94dbce0e372b4dd2a63fd037f
MassLogger
57b56569fafe3fc9833c76364bef0b53aae2410427dfddd0b3dd18bb151cf465
MassLogger
69842a6dc654dfc2d3a69b566e90679318cbac7209d4286df9af58b8e173ab90
MassLogger
70440fbc25870bbadcbe1278c0772221c0a8a34058aa1bbe8f5d00a72a1c883a
MassLogger
89b4121aae370dd8b644fc0e426e24d17087b25e1646aaf02e56b147627efd16
MassLogger
8b1dca219122f7fb445edb2665d3bb2dac8983e61c380e15fc8e76087503ef84
MassLogger
cc6b0848a3a848c9ee7ce3f63d1e3f95393f6593140e2aab400146c06e593793
MassLogger
+ 687 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200803-blp1mznnja/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4882ceb8e3f4b34b1446518b39b4d878f59c3ef27124e38aefd67faa9200e127

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip a238d109702667b33c62c8edcb134453d2ad51307ff3235f848c350be7168cc3

MassLogger

Executable exe 4882ceb8e3f4b34b1446518b39b4d878f59c3ef27124e38aefd67faa9200e127

(this sample)

  
Dropped by
MD5 b7aa170e02d9e2aa07c9c45b3fffa462
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37800/
  
Dropped by
SHA256 a238d109702667b33c62c8edcb134453d2ad51307ff3235f848c350be7168cc3

Comments