MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5e0fbe83739081ba2bc70e0aae26a0dd33358061b931f96e3ee12eefae90fbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5e0fbe83739081ba2bc70e0aae26a0dd33358061b931f96e3ee12eefae90fbf
SHA3-384 hash: 58cd461b9b1f6d98be00ae68c40c2fc914b175041dd99fe3ec42eff863df569ba906cd8c40e556c8d757c7e75bf882c7
SHA1 hash: bbfb15f6526e804150df582140c5697e7befb7e7
MD5 hash: 62a5098ca9b33099ef35ff4ab0d5b325
humanhash: bulldog-october-salami-gee
File name:2020080495209.pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'393'152 bytes
First seen:2020-08-04 13:43:24 UTC
Last seen:2020-08-04 15:22:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:0H5gABSjJuLdddHVWNNoqgzL8H2GBuJVJZ:06AuJQjHV3qgzL8Xu1Z
Threatray 1'001 similar samples on MalwareBazaar
TLSH 7855AE82F540C950C96A4E36CD67DA9443337D66EF4797077088BA2B38E31D3AE266C7
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: boffincontrol.com
Sending IP: 192.3.96.117
From: Ahmedkhan Boffin <ahmedkhan@boffincontrol.com>
Subject: Re: Revised Offer for GRP Fittings
Attachment: 2020080495209.pdf.zip (contains "2020080495209.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38758/
Detection(s):
SecuriteInfo.com.Backdoor.MSIL.Bladabindi.11468.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409546
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5e0fbe83739081ba2bc70e0aae26a0dd33358061b931f96e3ee12eefae90fbf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 13:45:08 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xqpx2bxheebxiv4odqkvytkbxjtgwagdojr7fxd5yjo56xjb67q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1bfafe2577a126c301463e5902f1bf23bc69cbdf346bd7c870ae9b622bcd2104
MassLogger
22d5036d18a7dbaf7a67487165b4bca434220d5d066ba9f74bc1ad20eb37290a
MassLogger
329f7981abeef752b487e4ca790a53e38ff1b00872dbe037f3a122c276357b20
MassLogger
5bcb70f11599399247472b82c228cada04a5896b4fc0aa2cb8730955130a07f7
MassLogger
67da8a06938ef9c410525c901be8256cd02a9643d67a61f0f8d49c79fcfc6ef5
MassLogger
8366973011083e5a6ddd8b602c3bfb70d6334e9a28a0113215197c97774d6b0c
MassLogger
a0f024a09ccea8cb498c0c0b28b5b2153b97cfa3a2f29a61329f2d80a23e6780
MassLogger
a29e80ca06b950427dc024e1a44049256aaaee18539dcecd7efe600309a589cf
MassLogger
b81898c8e22774e33768ab962a3acca0c718197c2b4434f3ae51761569bd7ccb
MassLogger
fd79e00e91b710ac1f39fb70bfd49e65b1810f0c03d137103c78579ddc063a9d
MassLogger
+ 991 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200804-6qbvj66axa/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5e0fbe83739081ba2bc70e0aae26a0dd33358061b931f96e3ee12eefae90fbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip bc52fb733abe8c7201c916a18bf92214f50132eab17878203f2df63a44cb7d4c

MassLogger

Executable exe f5e0fbe83739081ba2bc70e0aae26a0dd33358061b931f96e3ee12eefae90fbf

(this sample)

  
Dropped by
MD5 4ddd157bdf72d0fecf1f4297c06f5426
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38758/
  
Dropped by
SHA256 bc52fb733abe8c7201c916a18bf92214f50132eab17878203f2df63a44cb7d4c

Comments