MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6355c80bc28b3567eb84ed261940bfd469c5482efa5b20ff46b7aa221ad0d7fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6355c80bc28b3567eb84ed261940bfd469c5482efa5b20ff46b7aa221ad0d7fb
SHA3-384 hash: a642e52912352d6c1a0acd89abc3310fe35de9afcb1463b5a89aff58c3e60583b5c5c181b3dbc14602ffabd82f7de8c3
SHA1 hash: 6085cb12c9163821938ef9716c9cd2ae8ce94b04
MD5 hash: 254868d844df8a86364ca79bbe786a5a
humanhash: video-music-purple-november
File name:Ziraat Bankasi Swift Mesaji.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'553'408 bytes
First seen:2020-08-05 11:35:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:OXZASMOI6zKmxRK7nYoZYoEx1AdCGmSc3B7prS8:4BMAKmC7zeoE4dNm73B75S8
Threatray 279 similar samples on MalwareBazaar
TLSH B6754A2679478824C56A0735C0659DC0BBB5AA4A3B86CB1F31C72348AE1379BFF0765F
Reporter abuse_ch
Tags:exe geo MassLogger TUR ZiraatBank


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ileti.ziraatbank.com.tr
Sending IP: 45.138.172.58
From: ZIRAAT BANKASI <ziraatbank@ileti.ziraatbank.com.tr>
Reply-To: ZIRAAT BANKASI <ziraatbank@ileti.ziraatbank.com.tr>
Subject: 11000, USD Swift Bildirimi
Attachment: Ziraat Bankasi Swift Mesaji.r00 (contains "Ziraat Bankasi Swift Mesaji.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39442/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/410964
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6355c80bc28b3567eb84ed261940bfd469c5482efa5b20ff46b7aa221ad0d7fb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 11:37:12 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnk4qc6crm2wp24e5utbsqf72ru4ksbo7jnsb72gw6vcegwq275q._file
Verdict:
unknown
Similar samples:
07d2803931b06ba2fa9c0d9e7e46bcd1cd707ef15b7ce0e58dc0564ee1b7a82f
MassLogger
131ca249c6d904b59e7afc79bdfc5d8159b2c92478fb332460bcba661f18f5bc
MassLogger
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
MassLogger
443bc33e9d28fddd4229367cde23085b8d57549093ce8e991eb4753ce58c85fe
MassLogger
62cfa247e54cae77546bcd7e86bd5a80dafc3ffc3efafb7ab9693038d3d665d4
MassLogger
6ed714be9b4c3ca5506399b694e50451c59ae22c19963f575f22613e26ee26cf
MassLogger
83e9076753760835170cb3a4cbab7a3d8f72c458ccfc4e292f6927fd0f231d3e
MassLogger
94810a88f62f692d97450a002cd87622e926b0c648bdcc95db8b8644760901cc
MassLogger
dda25996ab5b78fa63ab71aa304360374fe2eb6ded670c778b2c69d9fa1f1e40
MassLogger
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
MassLogger
+ 269 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-nygvfdfsbn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/6355c80bc28b3567eb84ed261940bfd469c5482efa5b20ff46b7aa221ad0d7fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 5e1cd9e8f679705e731dc149fa74f1e9730337cc848095fc0dd9edb52a52441a

MassLogger

Executable exe 6355c80bc28b3567eb84ed261940bfd469c5482efa5b20ff46b7aa221ad0d7fb

(this sample)

  
Dropped by
MD5 4dd215c65e618acde24952e800907184
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39442/
  
Dropped by
SHA256 5e1cd9e8f679705e731dc149fa74f1e9730337cc848095fc0dd9edb52a52441a

Comments