MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a13424875703c2b22381b0f2db797498bca3ac5b677e2e30ae3441aeff6b9e0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a13424875703c2b22381b0f2db797498bca3ac5b677e2e30ae3441aeff6b9e0e
SHA3-384 hash: 58403dcad6c4efcf8d0fb2d25397276b586aa8f17d38dcbea9e7921a275c3f0691fb4b0aa9148244b2c2e2d39b64a3a3
SHA1 hash: 90418c0bc659dceafdae86bf8bec6286523f57c3
MD5 hash: 78bb6b4902befba335227b21c4d68067
humanhash: batman-pennsylvania-violet-kilo
File name:Migliore consulenza globale sui pagamenti PI # CFL002 19A.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'210'880 bytes
First seen:2020-08-08 08:12:19 UTC
Last seen:2020-08-08 08:54:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:R/QAGlIXiuc3WwQDVqiLsT22M2xXzS+7wtyK:R/ol0c3FQpqpUMzzMt
Threatray 736 similar samples on MalwareBazaar
TLSH 0445CF80E2088EA5FC9D4B75987FAC244217BE3EFCB5510D3A5DF2265BB338214A9D17
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Cristina Sasso <Jinju@aramex.com>
Subject: Migliore consulenza globale sui pagamenti // PI # CFL002 / 19A
Attachment: Migliore consulenza globale sui pagamenti PI CFL002 19A.gz (contains "Migliore consulenza globale sui pagamenti PI # CFL002 19A.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42074/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.11246.22418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/415732
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260114 Sample: Migliore consulenza globale... Startdate: 08/08/2020 Architecture: WINDOWS Score: 92 32 Sigma detected: Scheduled temp file as task from temp location 2->32 34 Yara detected MassLogger RAT 2->34 36 Yara detected AntiVM_3 2->36 38 6 other signatures 2->38 8 Migliore consulenza globale sui pagamenti  PI # CFL002  19A.exe 7 2->8         started        process3 file4 24 C:\Users\user\AppData\...\fxOtdvoHGq.exe, PE32 8->24 dropped 26 C:\Users\...\fxOtdvoHGq.exe:Zone.Identifier, ASCII 8->26 dropped 28 C:\Users\user\AppData\Local\Temp\tmpE6C.tmp, XML 8->28 dropped 30 Migliore consulenz...CFL002  19A.exe.log, ASCII 8->30 dropped 40 Injects a PE file into a foreign processes 8->40 12 Migliore consulenza globale sui pagamenti  PI # CFL002  19A.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        signatures5 process6 process7 16 cmd.exe 1 12->16         started        18 conhost.exe 14->18         started        process8 20 powershell.exe 19 16->20         started        22 conhost.exe 16->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a13424875703c2b22381b0f2db797498bca3ac5b677e2e30ae3441aeff6b9e0e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-08 08:14:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ue2cjb2xapblei4bwdznw6lutc6khlc3m57c4mfogra2573ltyha._file
Verdict:
unknown
Similar samples:
322eeeb2b916b9cbced49b43ad579f100ede0dd79ae6cb115f764084ed0a3627
MassLogger
50529809a9b92f2b353e94a27b850f7be76f820c9a413a5968d686026936c133
MassLogger
5092d9ebc85e835f7ef16d20b935cf58cc52715c0cfdb88a2723d3a34f9b1526
MassLogger
58322659acfc21d063a2acb0d64ea2846d21ab2e256b0ae4f83646ff03bf2387
MassLogger
63f3c0c57169df7444e25fcfcc6626bc14d6e85dea12a1b6bb137e780f71cbb5
MassLogger
983642426c54efb09b590e6f4344483d07b99a9e3a2551d504d4293183d701c3
MassLogger
a990373e6225384bd1bab3441dc0cb881f1e03f51f83f7923ca6c9ff228bee5c
MassLogger
acf7a212615c205ab87f28d19c97bc50fb93d8568f3960b06d2174d1c28f355e
MassLogger
b3349406861e76bfb84f4757a646c3fe94eb5e1cd27abeeffa48aabb6c8fa4d5
MassLogger
c8c4219d39faa8c727e9905b5156f4bc71c4bfbb4c9495c8a80be7020cd4380f
MassLogger
+ 726 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200808-55h4tzsbgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/a13424875703c2b22381b0f2db797498bca3ac5b677e2e30ae3441aeff6b9e0e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip c99795d551dcec9f256338f7253d413be4f2ceb2b20c5bc3515041683cd22a6a

MassLogger

Executable exe a13424875703c2b22381b0f2db797498bca3ac5b677e2e30ae3441aeff6b9e0e

(this sample)

  
Dropped by
MD5 5d9351c921398cfdab9497c418937b69
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42074/
  
Dropped by
SHA256 c99795d551dcec9f256338f7253d413be4f2ceb2b20c5bc3515041683cd22a6a

Comments