MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1ce8a3c72d7e45300b38de923c0ad45c466ef17a44bec4aad85a4672690eb22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1ce8a3c72d7e45300b38de923c0ad45c466ef17a44bec4aad85a4672690eb22
SHA3-384 hash: c08970e4a65437e74bdd3e8e9e0e9b0fc42e9a9e15d35cce707ec541b4d9862b1810253824a4b0c4cf32cd257497809b
SHA1 hash: c76eeca4dbff9834820c7c4373fd6ad230f7b5b6
MD5 hash: a556bc0ce0bcf11af90c5405f3aa9067
humanhash: nine-tennis-beer-mountain
File name:ZZW00008112020ZD1_DPILpdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'026'048 bytes
First seen:2020-08-11 10:53:53 UTC
Last seen:2020-08-11 12:14:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:LwVHtLgVPtL0Jj4szuqEu3mpfsov8rVjEQA:YNgVPtAjfuqEuCfsTra
Threatray 706 similar samples on MalwareBazaar
TLSH 8C25BFA8325476EEC997CD36896C2C50EA253C276B1FC50BA017319C9A3DB97DF106B3
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.i4kp.com
Sending IP: 144.217.14.232
From: Bartosz Bazia <sklad.brno@betosan.cz>
Subject: New purchase order Cellfast - ZZW/00011/06/2020/ZD1_DPIL
Attachment: ZZW00008112020ZD1_DPILpdf.zip (contains "ZZW00008112020ZD1_DPILpdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43248/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.19717.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/418483
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1ce8a3c72d7e45300b38de923c0ad45c466ef17a44bec4aad85a4672690eb22/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 10:55:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hhiupds27sfgaftrxushqfnixcgn3yxurf6ysvnqwsgojuq5mra._file
Verdict:
unknown
Similar samples:
0fd0591e79669d6016acff95109efd434cc39498d83f4ebdaac67c96091e4fa9
MassLogger
3e4bbaedb75ecb1dba42d262fbb6c051d30dddbf7d10ceac4086836b67f1dd3a
MassLogger
6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6
MassLogger
6d2a566cdadb7d1397ba4cc96cf0ad361358a717523f547c30af8c92b88b712b
MassLogger
81294a847822a4b2b75133370a6b627d8fd2db2470767608522c4229ffa88133
MassLogger
878e1a1b65cc05eb728bf4ce85b7ad87576bbc9c8465d1348c71cef4e8c098f2
MassLogger
8f8324aa2244c6ecc4369ef6e5ea25b405ecf48aef96e34cc04c56f6ad240ade
MassLogger
c3678d87151b21e6a29ded035522c1c22950f97787e45b3df2dba52a4e688c97
MassLogger
df68e151234024e309edd6285be6afa2ac21b30fa660f3aefe4417b17ab27400
MassLogger
fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437
MassLogger
+ 696 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger
Link:
https://tria.ge/reports/200811-7jbg2mg5t2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/f1ce8a3c72d7e45300b38de923c0ad45c466ef17a44bec4aad85a4672690eb22

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip ef3a705d92f5919949be18024d4ff6f88a4717b707bdf598fb0cac25dc7ab49c

MassLogger

Executable exe f1ce8a3c72d7e45300b38de923c0ad45c466ef17a44bec4aad85a4672690eb22

(this sample)

  
Dropped by
MD5 ad1e00710b6412d78c1e3eae5416b811
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/43248/
  
Dropped by
SHA256 ef3a705d92f5919949be18024d4ff6f88a4717b707bdf598fb0cac25dc7ab49c

Comments