MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e
SHA3-384 hash: 9f085048bf4aeecbf57d64323fde3391962688141c78d216c726c8c1cefb50a6f62beee1f21533149b0bf4ddebd25ef8
SHA1 hash: c4f94218183dd65573fc143e2051b776c3c0e13d
MD5 hash: 8d4fb7606e6270b7190b97f382993b42
humanhash: aspen-lithium-charlie-maryland
File name:Halkbank.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:892'416 bytes
First seen:2020-09-18 16:55:05 UTC
Last seen:2020-09-18 17:50:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:qnTq/B++r60H1qRrznXOdDU9k3CDOSeJot8EUpWLfM88vqXVjPM6boym+gm2xOKY:RBRrFVWrzsUAaOSeJoPxsyFrMWBm/D1
Threatray 237 similar samples on MalwareBazaar
TLSH 7115E05032AA3B0AE6748BF40204B472C3B554267669C3897F8331FEA5F5BD07E65B4B
Reporter GovCERT_CH
Tags:MassLogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.23275.14078.26680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/470316
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e/
Threat name:
ByteCode-MSIL.Infostealer.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-09-18 10:26:08 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aectx2veo7a4x44m26iuerg2tz22el2zk2afmbep57pac5idejxa._file
Verdict:
unknown
Similar samples:
234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c
MassLogger
669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9
MassLogger
a920f6bd5e8cf8734daa7aa6b0a79b3edc9725c436f5b6bdec9a7490792c8298
MassLogger
af910e755d963e281b1d652fc3cbe38d71db63afdaf29043c5edd5b707aefc1e
MassLogger
d6e1a688daa6611f7ff1ebf6724c3ccdabc18b97b1f606ec7bc141d8b81e1082
MassLogger
d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb
MassLogger
dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced
MassLogger
dd652810ff0fc0288768ac20d5fcc76f7bc517c3ed8b066a18340a8b69c69c3a
MassLogger
f23b9e7560ded009508ff2a4dd75507d7bf087ad69c47fc5320af052d95fa814
MassLogger
fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f
MassLogger
+ 227 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200918-y48daqvhsx/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Looks up external IP address via web service
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Checks computer location settings
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 8487b2055d2689999be3ef815192fd8bbc9d666b64f80753aa22ccedb2cdf604

MassLogger

Executable exe 01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e

(this sample)

  
Dropped by
MD5 b3b57d7700d2416f9aada7e29d02a372
  
Dropped by
SHA256 8487b2055d2689999be3ef815192fd8bbc9d666b64f80753aa22ccedb2cdf604
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/63492/

Comments