MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92a7c4b4694b3849c97651e3c5713eedbf3e9a5f157724d6ca9047b05ed0e3d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92a7c4b4694b3849c97651e3c5713eedbf3e9a5f157724d6ca9047b05ed0e3d9
SHA3-384 hash: cd58adf5ab5b674de92985541acecb8dbeeb66a2ee46f7a243b4b6f2bb048088c5b7b773c4c476882b01a4f12cbb7d59
SHA1 hash: bf175030caf9f23129a63262d9aa345dab620a12
MD5 hash: ad18e53571ae5be2cc2bd0fafd484da2
humanhash: black-jig-steak-bluebird
File name:DEBIT NOTE - SAOFEM20050027pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:985'088 bytes
First seen:2020-07-29 05:24:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:TQe6H3aJa0ir1T/tphJqlibPiEj3z1dHK1Wi:E7H3aaxT/Tqlib7z3q1l
Threatray 747 similar samples on MalwareBazaar
TLSH C225F119FA91ED15C3FE4234EADD2119CAFCC186926BF715684492EB29C63B3EC41372
Reporter cocaman
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34122/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401185
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252805 Sample: DEBIT NOTE - SAOFEM20050027... Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 6 other signatures 2->41 8 DEBIT NOTE - SAOFEM20050027pdf.exe 5 2->8         started        12 wuapihost.exe 2->12         started        process3 file4 29 C:\Users\user\AppData\...\&startupname&.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmpEF94.tmp, XML 8->31 dropped 33 C:\...\DEBIT NOTE - SAOFEM20050027pdf.exe.log, ASCII 8->33 dropped 45 Injects a PE file into a foreign processes 8->45 14 DEBIT NOTE - SAOFEM20050027pdf.exe 3 8->14         started        16 schtasks.exe 1 8->16         started        18 DEBIT NOTE - SAOFEM20050027pdf.exe 8->18         started        signatures5 process6 process7 20 cmd.exe 1 14->20         started        22 conhost.exe 16->22         started        process8 24 powershell.exe 17 20->24         started        27 conhost.exe 20->27         started        signatures9 43 Deletes itself after installation 24->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92a7c4b4694b3849c97651e3c5713eedbf3e9a5f157724d6ca9047b05ed0e3d9/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 05:25:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=skt4jndjjm4etslwkhr4k4j65w7t5gs7cv3sjvwksbd3axwq4pmq._file
Verdict:
suspicious
Similar samples:
0650a30b2e54bc824ad7c986606f98d127e11dc0f401ad6465deb77e1ffb3f01
MassLogger
1382fdb29bab4fdfecdead8eb5d85d022a16d4f0286513b226745d890a3f47f4
MassLogger
1dc4cd5cf6cb54871f9deba8d8c39cf6856a149d4c099585c5555a810e1e96dd
MassLogger
5b21a902c6ecee945467bf474131a618a7638e1757807f268300b21662e3fb12
MassLogger
642f3ac7ce246c87fed41bc3952ed2086187587f34a5b27270ac3c1ffca8aff3
MassLogger
7f0fb6cbeb67d61d2fcf55c3e9496eee625be53db7e4e0a6321403efd9f8f7c8
MassLogger
82b29aea19d46b3da79de8efa015b73dd3589353e16b73579820ab8a1a0ec077
MassLogger
89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b
MassLogger
8a0779333aa240cc2fd83c8e32febca648d04c2e01db732fbc0e6180495b7ae9
MassLogger
cb8a3020513f5f20c9bf0024baa3e328fc8d54794b9b94f7ddc0e2bac208945f
MassLogger
+ 737 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200729-44pf6m8fc6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/92a7c4b4694b3849c97651e3c5713eedbf3e9a5f157724d6ca9047b05ed0e3d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip ade8bfcf1415da45b6137e1e3f610caf22d333cc70d4eb52d7e22131d212461b

MassLogger

Executable exe 92a7c4b4694b3849c97651e3c5713eedbf3e9a5f157724d6ca9047b05ed0e3d9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ade8bfcf1415da45b6137e1e3f610caf22d333cc70d4eb52d7e22131d212461b
Cape
Cape
https://www.capesandbox.com/analysis/34122/

Comments