MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a08d0f514ac2efd07cc045c1b896cf7c6426dd0013ad523a14bbdbce2b25edd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a08d0f514ac2efd07cc045c1b896cf7c6426dd0013ad523a14bbdbce2b25edd
SHA3-384 hash: 898cbeaee499470dc7784f237c0abfe03fe194d8cef3183255e858dc25f7f9770063f34f783c701b152805f84c4029dd
SHA1 hash: 105230ce033771a93e3be121bcbb2b1511ceb008
MD5 hash: a553824d8e07c030ee3d8c8c7ffbde82
humanhash: burger-nevada-white-east
File name:inquiry Nasser Al Falahy.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'059'328 bytes
First seen:2020-08-17 08:12:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Q0ok8uJXEVO76Xdp+E+uh0Lb+4kopllG8sXMENGHB:Q7utWdp+E+uh03+4kok8LEa
Threatray 786 similar samples on MalwareBazaar
TLSH A0352353F6F4CA12C13D293AC84AAB5413B9BAC66CA2F21EFDD865F995113C50742EC2
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vsjadoncloud.srv5.com
Sending IP: 101.53.136.250
From: Olusum Makina <praapti.s@universalhunt.com>
Subject: please send your quotation & availability as per our request.
Attachment: inquiry Nasser Al Falahy.zip (contains "inquiry Nasser Al Falahy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46799/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Enabling autorun by creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432843
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Deletes itself after installation
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 268731 Sample: inquiry Nasser Al Falahy.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 34 Sigma detected: Scheduled temp file as task from temp location 2->34 36 Yara detected MassLogger RAT 2->36 38 Yara detected AntiVM_3 2->38 40 8 other signatures 2->40 8 inquiry Nasser Al Falahy.exe 7 2->8         started        process3 file4 26 C:\Users\user\AppData\...26RQOUAsHhOY.exe, PE32 8->26 dropped 28 C:\Users\...28RQOUAsHhOY.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmp80A2.tmp, XML 8->30 dropped 32 C:\Users\...\inquiry Nasser Al Falahy.exe.log, ASCII 8->32 dropped 11 inquiry Nasser Al Falahy.exe 3 8->11         started        13 schtasks.exe 1 8->13         started        15 inquiry Nasser Al Falahy.exe 8->15         started        process5 process6 17 cmd.exe 1 11->17         started        19 conhost.exe 13->19         started        process7 21 powershell.exe 17 17->21         started        24 conhost.exe 17->24         started        signatures8 42 Deletes itself after installation 21->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a08d0f514ac2efd07cc045c1b896cf7c6426dd0013ad523a14bbdbce2b25edd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 03:24:40 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lienb5iuvqxp2b6marobxclm67dee3oqae5nki5bjo63zyvsl3oq._file
Verdict:
malicious
Similar samples:
22016decae5f551ae72ddfee99c9a2064dc3dd138d3fe89fb4c56f8fb4d432cd
MassLogger
62fcdae1698a3257838b23279dfb2706ed7eb727cbe24e89ab2445565d45de04
MassLogger
68fc1b87f19de1765e5dab39ebabef62e2acf44a61942918016dad9513e8b910
MassLogger
6acc6132e2b715d36c680d06959661bc650756f8b464a5bc5bcdd8e6faa07a55
MassLogger
93b54f00313eead297d3e2d93c4f84d023f862e524509dd31cd5bf58dfcd0631
MassLogger
a6e562d91aecb4f9ee29779f6d23d4de1e58460e5d3e15182ff1c1ff0ce76610
MassLogger
bd3471318776ee818d9f1b68f84d66b63997c2ca1cf7f6d0070560044a00974e
MassLogger
cc9eb80896d8b2ce5c9725ac37e4af900a6b905b641153bd543fcc68ce115d81
MassLogger
e2ee2925682e188e41fcdf49f0274de4617fc3a9506ad31be7a9caeca6d21b38
MassLogger
fa24e9a733aeaa416ab67d027251e33459cad727d3357d44c91c251d03282fa0
MassLogger
+ 776 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware evasion spyware stealer family:masslogger
Link:
https://tria.ge/reports/200817-vtfejkmets/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Modifies visibility of file extensions in Explorer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a08d0f514ac2efd07cc045c1b896cf7c6426dd0013ad523a14bbdbce2b25edd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 4e002ce22b5c5778b1f1761aa0e50e4841f708b5754b825fbcc359403c9e0155

MassLogger

Executable exe 5a08d0f514ac2efd07cc045c1b896cf7c6426dd0013ad523a14bbdbce2b25edd

(this sample)

  
Dropped by
MD5 8e59ab04ce35619878226a27062623fd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46799/
  
Dropped by
SHA256 4e002ce22b5c5778b1f1761aa0e50e4841f708b5754b825fbcc359403c9e0155

Comments