MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57b56569fafe3fc9833c76364bef0b53aae2410427dfddd0b3dd18bb151cf465. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	57b56569fafe3fc9833c76364bef0b53aae2410427dfddd0b3dd18bb151cf465
SHA3-384 hash:	fe2ed39c3b6f3f326355073e60e0cf479a0c9ec68703622f58e3cae94541a9f3320a163bf63480e2302e2f31f6e847b4
SHA1 hash:	c059086fe96eb7b6c7a62ff12c902518d69b9a10
MD5 hash:	9f8baf6c392e89a297ad7f7ecf19cd53
humanhash:	burger-alaska-wisconsin-golf
File name:	7245315423g7.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'588'736 bytes
First seen:	2020-08-05 11:42:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:NXZASMKqYZjzjy2y3bAD1A2GRY5IcjoKpnisA3V:7BM3E03MxA2G+IIoKpniP3
Threatray	701 similar samples on MalwareBazaar
TLSH	3675083639829824C56A4775C0789DC0A365768B3B96CF1F308B138D6E0379FBB1B56B
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: server.gestionmail.com
Sending IP: 84.246.211.24
From: info@afroturklogistics.com
Subject: FW: Scanning from a Samsung All-in-One
Attachment: 7245315423g7.zip (contains "7245315423g7.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

72

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/411024

Signature

.NET source code contains very large array initializations

Deletes itself after installation

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/57b56569fafe3fc9833c76364bef0b53aae2410427dfddd0b3dd18bb151cf465/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-05 11:44:10 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k62wk2p27y74taz4oy3ex3ylkovoeqiee7p53uft3umlwfi46rsq._file

Verdict:

suspicious

Similar samples:

0a3f320d6e46c364aae4b55f4853d8aff3d6a9d6117cb176b957c298e9184f29

12196207ffedfa2675b71f8c086df39c8ae73eb0fb2909674044ec3a45772d6b

2e5c6ecfef94f9922f152344b96041b85bf2dc01136e921e2d8c644d903b708d

3f97dfbae448b3eb28d6f08f666029037d890dc94dbce0e372b4dd2a63fd037f

434b95216fefcfdef179cbafe780e88243b818bce4ab11b88863bedc4a9cc0d0

4882ceb8e3f4b34b1446518b39b4d878f59c3ef27124e38aefd67faa9200e127

69842a6dc654dfc2d3a69b566e90679318cbac7209d4286df9af58b8e173ab90

70440fbc25870bbadcbe1278c0772221c0a8a34058aa1bbe8f5d00a72a1c883a

89b4121aae370dd8b644fc0e426e24d17087b25e1646aaf02e56b147627efd16

8b1dca219122f7fb445edb2665d3bb2dac8983e61c380e15fc8e76087503ef84

+ 691 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200805-f3pyrm3wca/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/57b56569fafe3fc9833c76364bef0b53aae2410427dfddd0b3dd18bb151cf465

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip c04c248b440d97cbb2525d179d781580c0ef0d7a0a96a59e4b8675429fda5218

exe 57b56569fafe3fc9833c76364bef0b53aae2410427dfddd0b3dd18bb151cf465

(this sample)

Dropped by

MD5 caa6744f7ec49ecdcfb73ab56f3ffd97

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/39451/

Dropped by

SHA256 c04c248b440d97cbb2525d179d781580c0ef0d7a0a96a59e4b8675429fda5218

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample