MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f3ee8bb321639618ea25d8ceb965d1c695255e5a28b48bd62a659f8b84872cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f3ee8bb321639618ea25d8ceb965d1c695255e5a28b48bd62a659f8b84872cc
SHA3-384 hash: 258b7aa9fa7c8d9bb2d8af5cf4ef731e49e3a06651b1e7ea3a12398f77366025e5368d07c3eca3b6086ac5ea446ed99f
SHA1 hash: 8521395234031b940e4cbd818ae704d72f3d23c3
MD5 hash: 32eabca3dcec2c7716acd741336a1e25
humanhash: hot-september-grey-comet
File name:Pago 26 May 2020 at 1.15_DPp343_PDF.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'308'672 bytes
First seen:2020-05-26 11:05:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:xSJ6N7cP0x59tlyXwHq5xNCvK4pdlnt0h:x3D9DzHs2Kalnt
Threatray 988 similar samples on MalwareBazaar
TLSH 09556B3371D28408C87A167A146AAAC476E5BB8637528B2FF55F534F1F02B3E6B501CE
Reporter abuse_ch
Tags:CaixaBank ESP exe geo MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: server.lazul.com
Sending IP: 82.194.91.57
From: La Caixa <direccion@eucov.com>
Subject: RV: ConfirmaciĆ³n de pago
Attachment: Pago 26 May 2020 at 1.15_DPp343_PDF.exe

MassLogger SMTP exfil server:
mail.pooldeexcursiones.es:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 11:36:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 48 (47.92%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0ffa7ac2091ab004e6755e1e66539633b6a628e90094d80357895df0e6092f9c
MassLogger
13dd79b77c2ed2ba77d509e2d3b4621e83f7105674353f7e30930e07b099bce5
MassLogger
239fca3f5df496aab1b7c7696aaa26d77174501abc9cb1c1e12a188584d745cc
MassLogger
40eac0b9c7fb03c9f4a54a82b47534babfdcc931b5d83832f1ae2facd9fe0cc3
MassLogger
92fe26c8230e536786caaa0932023f795e94d364ef3221a728d81d7ef90afd2a
MassLogger
a2c284a50d4fc05794e3bce123492bd9e547b272d9f7b87832fdc72b681580e7
MassLogger
a325f636f8f04610f7abed81f75739bba89f86d802415efd6725e127619cbf02
MassLogger
a412b9a89e53822798a37e00efb760bf4556140d0c1088b440aaa57f10869603
MassLogger
c576ee9b927aa490d554523d3faf7be5a897f215972f2973bafb62c1465123bb
MassLogger
dbdbfa24b62d54b1624dac7d07bd939677342c820867b0d8993f0ab95af3d342
MassLogger
+ 978 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger agilenet ransomware spyware stealer
Link:
https://tria.ge/reports/201109-m8qtvb4t32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
MassLogger
MassLogger Main Payload
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 4f3ee8bb321639618ea25d8ceb965d1c695255e5a28b48bd62a659f8b84872cc

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments