MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbca1b2ee6c097f73a866a102f4f17a5966ede96d69b51d6702a0882181fa866. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	cbca1b2ee6c097f73a866a102f4f17a5966ede96d69b51d6702a0882181fa866
SHA3-384 hash:	1f33a674ff06c941f88cf4de1af97383a9caeda474fe064bdb131e0ac736ef5e0f91467b47f18bebf40bec7c62091558
SHA1 hash:	68f033c10170664c7e5d40aa47f321fd0a31d6bd
MD5 hash:	71005666acb0710d2f81555dacfcd87d
humanhash:	king-berlin-lion-bluebird
File name:	Required and purchase plan 000029300.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'002'496 bytes
First seen:	2020-08-17 06:14:07 UTC
Last seen:	2020-08-17 07:01:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:iSiXzrLgInTsPshkxKUlQqx3VZ6abT7WiTpwDnSnSC:idzrzHh523iabTKi1cSn
Threatray	555 similar samples on MalwareBazaar
TLSH	E2252327B790C252C1396632CC1D450803B8ABD4AA51FA2EBC8D76AF95743E58357FE3
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: vip.126.com
Sending IP: 199.96.83.20
From: Fendi_Qyresearch<fendi_research@vip.126.com>
Subject: REQUEST QUOTATION FOR OCTOBER 2020
Attachment: Required and purchase plan 000029300.PDF.R00 (contains "Required and purchase plan 000029300.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

68

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/46645/

Detection(s):

SecuriteInfo.com.Trojan.Agent.EVBG.10484.20751.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/432559

Signature

.NET source code contains potential unpacker

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cbca1b2ee6c097f73a866a102f4f17a5966ede96d69b51d6702a0882181fa866/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2020-08-16 23:50:51 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zpfbwlxgycl7oougniic6tyxuwlg5xuw22nvdvtqfieiega7vbta._file

Verdict:

unknown

Similar samples:

1c989f633edcaea6e97a4a96f8a1f9ed19d54ed109cfaf1053a67dc48d28fd52

20ec6cdb323f2e2eea0bfb107e820a079a41a3fc6afdf8378de930d7aa7b4160

26f2d26b01147113e1767023ecad609c6b466ce8ede36831362974f808b5f16e

49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251

7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78

77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43

8fc4747ee4e9b358ddd1dffff19b0b3f5166e8b4ef15257be68d3fa2decb347e

97a3f574869dfb82834d7481df5e280ab0944dda13ff548d5674e960493cfb8c

e33ecba374a7d34a6c237fde198844930a82c27199c76f49bc0558e0caf1f4a4

f959039896cdd9c4add867b06af7d100629377c66ef7fb0fd4aeba48f9a9593e

+ 545 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200817-vnzd9ayabn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cbca1b2ee6c097f73a866a102f4f17a5966ede96d69b51d6702a0882181fa866

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

r00 d00c00ee39c2f7a87db1c7d238df43c9d71b26c2588f4e335165c5cd67c5094d

exe cbca1b2ee6c097f73a866a102f4f17a5966ede96d69b51d6702a0882181fa866

(this sample)

Dropped by

MD5 fcbf99ca44a7475deda156f70e502283

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/46645/

Dropped by

SHA256 d00c00ee39c2f7a87db1c7d238df43c9d71b26c2588f4e335165c5cd67c5094d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample