MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c576ee9b927aa490d554523d3faf7be5a897f215972f2973bafb62c1465123bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c576ee9b927aa490d554523d3faf7be5a897f215972f2973bafb62c1465123bb
SHA3-384 hash: 6559ef6b496053a32ad08a9cea3ca0b55967333059ceb2afea3633c9ea15af5601974d99764836a5a508a2416b592fc6
SHA1 hash: df15726bd26b97e4658a49b02f7199c30245dfa7
MD5 hash: 917f02f1c5a3509fadf087e12ac83330
humanhash: bravo-timing-edward-july
File name:Our New Order May 27 2020 at 2.30_PVV440_PDF.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'310'208 bytes
First seen:2020-05-27 11:31:34 UTC
Last seen:2020-05-27 13:16:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:JSJ6NccP0x59tlyXwHq5xNCvK4pdlnt0h:JPk9DzHs2Kalnt
Threatray 998 similar samples on MalwareBazaar
TLSH 40555B3735828408C53A42790079EAC5AAF667813616C72EF69F630B4F82F7F7B911D9
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: server.lazul.com
Sending IP: 82.194.91.57
From: Biberiye Ahlam <direccion@eucov.com>
Subject: RE: AW: Our New Order No. 155717
Attachment: Our New Order May 27 2020 at 2.30_PVV440_PDF.img (contains "Our New Order May 27 2020 at 2.30_PVV440_PDF.exe")

MassLogger SMTP exfil server:
mail.pooldeexcursiones.es:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.917f02f1c5a3509f.13507.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agenttesla
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 11:35:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0ffa7ac2091ab004e6755e1e66539633b6a628e90094d80357895df0e6092f9c
MassLogger
13dd79b77c2ed2ba77d509e2d3b4621e83f7105674353f7e30930e07b099bce5
MassLogger
239fca3f5df496aab1b7c7696aaa26d77174501abc9cb1c1e12a188584d745cc
MassLogger
40eac0b9c7fb03c9f4a54a82b47534babfdcc931b5d83832f1ae2facd9fe0cc3
MassLogger
4f3ee8bb321639618ea25d8ceb965d1c695255e5a28b48bd62a659f8b84872cc
MassLogger
92fe26c8230e536786caaa0932023f795e94d364ef3221a728d81d7ef90afd2a
MassLogger
a2c284a50d4fc05794e3bce123492bd9e547b272d9f7b87832fdc72b681580e7
MassLogger
a325f636f8f04610f7abed81f75739bba89f86d802415efd6725e127619cbf02
MassLogger
a412b9a89e53822798a37e00efb760bf4556140d0c1088b440aaa57f10869603
MassLogger
dbdbfa24b62d54b1624dac7d07bd939677342c820867b0d8993f0ab95af3d342
MassLogger
+ 988 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger agilenet ransomware spyware stealer
Link:
https://tria.ge/reports/201109-y8m7822dzn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
MassLogger
MassLogger Main Payload
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

img c7d1887eb7a9762107c04b02a93014df0869620b287579da38f922f7989c8111

MassLogger

Executable exe c576ee9b927aa490d554523d3faf7be5a897f215972f2973bafb62c1465123bb

(this sample)

  
Dropped by
MD5 11d4191b4fbaaaf6de25f349151fd1f7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c7d1887eb7a9762107c04b02a93014df0869620b287579da38f922f7989c8111

Comments