MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0329eea7ab274894de8d7f91105cdea35e86e45e73c9c4411c5fae7cd564832c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0329eea7ab274894de8d7f91105cdea35e86e45e73c9c4411c5fae7cd564832c
SHA3-384 hash: aa431839edbf0f136177944d2afa1967771961f1deb680da6b2f9fd55d247b6fc45f18869a24f21aaf3f25fc96520930
SHA1 hash: 65dbfdd4da931bd749f99b5a3c766baa61012e6c
MD5 hash: a11cb2b444cb1a165e23fc97fe1304cb
humanhash: diet-mirror-high-mobile
File name:Hesap hareketleriniz.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'303'552 bytes
First seen:2020-08-04 13:35:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bae7147ec04d935db5914fb885560bb (11 x AgentTesla, 3 x MassLogger, 2 x AZORult)
ssdeep 24576:detNafLLOM9QKlNwWIM2vIeqWDvV8MxK1PmZU14Sn:de00Kl6Wt2vIeqM3xiPmZGL
Threatray 1'831 similar samples on MalwareBazaar
TLSH 4C55CF1EB3A08C36F1B2367DBD1B5EA4582EFD012D289A463BE4DD4C4E386513A35397
Reporter abuse_ch
Tags:exe geo MassLogger TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx.diyarbakiroto.com.tr
Sending IP: 176.53.12.184
From: QNB Finansbank <email@email.qnbfinansbank.com>
Reply-To: otikafranklin@gmail.com
Subject: Hesap hareketleriniz
Attachment: Hesap hareketleriniz.rar (contains "Hesap hareketleriniz.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38738/
Detection(s):
SecuriteInfo.com.Variant.Graftor.807433.11886.16799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file
Unauthorized injection to a system process
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409515
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257039 Sample: Hesap hareketleriniz.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 43 Detected unpacking (changes PE section rights) 2->43 45 Detected unpacking (creates a PE file in dynamic memory) 2->45 47 Detected unpacking (overwrites its own PE header) 2->47 49 7 other signatures 2->49 9 Hesap hareketleriniz.exe 2->9         started        12 wscript.exe 1 2->12         started        process3 signatures4 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Maps a DLL or memory area into another process 9->55 57 Queues an APC in another process (thread injection) 9->57 14 notepad.exe 1 9->14         started        17 Hesap hareketleriniz.exe 3 9->17         started        20 Hesap hareketleriniz.exe 12->20         started        process5 file6 59 Drops VBS files to the startup folder 14->59 61 Delayed program exit found 14->61 39 C:\Users\...\Hesap hareketleriniz.exe.log, ASCII 17->39 dropped 22 cmd.exe 1 17->22         started        63 Writes to foreign memory regions 20->63 65 Allocates memory in foreign processes 20->65 67 Maps a DLL or memory area into another process 20->67 24 notepad.exe 1 20->24         started        27 Hesap hareketleriniz.exe 2 20->27         started        signatures7 process8 file9 29 powershell.exe 19 22->29         started        31 conhost.exe 22->31         started        41 C:\Users\user\AppData\Roaming\...\eee.vbs, ASCII 24->41 dropped 33 cmd.exe 1 27->33         started        process10 process11 35 powershell.exe 18 33->35         started        37 conhost.exe 33->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0329eea7ab274894de8d7f91105cdea35e86e45e73c9c4411c5fae7cd564832c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 13:37:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=amu65j5le5ejjxunp6iraxg6unpinzc6ope4iqi4l6xhzvleqmwa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0dd860a7e0dbd769278450ff79311964d94bdb08220342953b49313108719ff1
MassLogger
5d0fe828d087e58c38d1724aeced199e4fb352535621e09ab4875a2f960ddabb
MassLogger
724e4c39841778153489d4c665f37fd5f3baabe4f151b2e78ccbe585c6f5c5b9
MassLogger
890b8e57454bafbe3dd79e1a4a42ef308cd072d079822e9275960e6be9418551
MassLogger
90ff23943691446d2cf73e28cba8dcd44cc7dc2577cdca70caf839e2331b6447
MassLogger
92227e0112ce45a2da5a726b14a6b573781f3da9e420c952fd10f6b22ca9c2b2
MassLogger
cc86bfa00eb04de2849ee30eab7202d0e3fcd0af3e596c4c4f0bc0e569b4a8b8
MassLogger
d730df4850006dea47a1820961961672cc08042a07d4bace39568261d1de2ddc
MassLogger
e0b4bd94f0a84e21e5bd9c173ed19d44e1e1959ecf09f4b4e7ce047bf6c287e5
MassLogger
f7c64b437d10f5483b3a78cbf4a08f22cd829c60515c312d2bd21e1a37e250ce
MassLogger
+ 1'821 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware upx spyware stealer family:masslogger
Link:
https://tria.ge/reports/200804-ht5vy3xhga/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
UPX packed file
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0329eea7ab274894de8d7f91105cdea35e86e45e73c9c4411c5fae7cd564832c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 7b7eb8b4b865a8d4a7fbfc54aee13159659e8354f49c8b2bec56e139bd80209e

MassLogger

Executable exe 0329eea7ab274894de8d7f91105cdea35e86e45e73c9c4411c5fae7cd564832c

(this sample)

  
Dropped by
MD5 401e372618734c27e3121d32dac2a3a9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38738/
  
Dropped by
SHA256 7b7eb8b4b865a8d4a7fbfc54aee13159659e8354f49c8b2bec56e139bd80209e

Comments