MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 061e4c2aaf9eb384ce88acacafa133185ede67c01c1ad01d1949218e04901c6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 061e4c2aaf9eb384ce88acacafa133185ede67c01c1ad01d1949218e04901c6b
SHA3-384 hash: fed9256fa7db78a508c70a42e84ed85c2e794d14fa91e4a0d184a14fb21ec5f110c9e7d3437d06731c5a1382ccd35bee
SHA1 hash: 01e83d13030de6f688ba8bd619fb9f6cf78738ac
MD5 hash: b63890661a387c1b409616b89c405937
humanhash: leopard-india-vermont-burger
File name:QUOTATION 014-S180053A.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'116'160 bytes
First seen:2020-11-04 14:22:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:YSpLJci0kv3Qb2RN8f1uzWT1wIy2YCltG8:ZWi0W3Qb68f1uzWTmN25G
Threatray 577 similar samples on MalwareBazaar
TLSH 3735CF132DD58BE8F18B3736D55A844807B4E96214F1D71BECFA38DA44213A2BB13DE6
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

From: "Annjelli Mabini" <purchasing@petronav.com.cy>
Reply-To: info.abidullafouad78@yahoo.com
Subject: quote
Attachment: QUOTATION 014-S180053A.rar (contains "QUOTATION 014-S180053A.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82924/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.3897.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520248
Signature
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309223 Sample: QUOTATION 014-S180053A.exe Startdate: 04/11/2020 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 Yara detected MassLogger RAT 2->37 39 8 other signatures 2->39 8 QUOTATION 014-S180053A.exe 7 2->8         started        process3 file4 25 C:\Users\user\AppData\...\CmmkAigwqicwHe.exe, PE32 8->25 dropped 27 C:\...\CmmkAigwqicwHe.exe:Zone.Identifier, ASCII 8->27 dropped 29 C:\Users\user\AppData\Local\...\tmpDE88.tmp, XML 8->29 dropped 31 C:\Users\...\QUOTATION 014-S180053A.exe.log, ASCII 8->31 dropped 43 Injects a PE file into a foreign processes 8->43 12 QUOTATION 014-S180053A.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        16 QUOTATION 014-S180053A.exe 8->16         started        signatures5 process6 process7 18 powershell.exe 17 12->18         started        21 conhost.exe 14->21         started        signatures8 41 Deletes itself after installation 18->41 23 conhost.exe 18->23         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/061e4c2aaf9eb384ce88acacafa133185ede67c01c1ad01d1949218e04901c6b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 14:24:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aypeykvpt2zyjtuivswk7ijtdbpn4z6adqnnahizjeqy4beqdrvq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0492389f51ea478d6b922d2e41b7f8bf54c7231ed062bae93b8ede289926db7f
MassLogger
265c93af05ea076407228de4cdfecc5e4052273610d35021afd1d0e72c81bb92
MassLogger
2bafe7b4f77916d7ca905d9d46453d27e090b85ba065f4892a886abdc8e51863
MassLogger
4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f
MassLogger
5864ae2b93c0ee29d29323151d1000df53cd3edca13b653e3b560871539ab384
MassLogger
70f4d4292ae1e84f9aba35df12e510161a98d453697ed8ce4bebb5fabdb71232
MassLogger
9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
MassLogger
a01cd6294d3b5bdf73771b113493d8a5c2df3f105db7d084b0729345a32a4453
MassLogger
b87399c6d528ab7bf017ea2c0d5a1b8d6eb5eb98c1837af426b4beff34372c01
MassLogger
b8ddba51be188310218fd595f1053023789453dcc894b1a9a61d1d0494dee15d
MassLogger
+ 567 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/201104-q69e386xz6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
061e4c2aaf9eb384ce88acacafa133185ede67c01c1ad01d1949218e04901c6b
MD5 hash:
b63890661a387c1b409616b89c405937
SHA1 hash:
01e83d13030de6f688ba8bd619fb9f6cf78738ac
Link:
https://www.unpac.me/results/5af52584-6ead-4765-b59a-abbc743f315d/
SH256 hash:
efb09b410b78d700ec8fba1cc6198dcc8281e65b8c7322e428e9871f045574ef
MD5 hash:
315474e1d69203a8688c10412e9b4016
SHA1 hash:
05776e9aa10556f698f9ac999ecd51893d220070
Link:
https://www.unpac.me/results/5af52584-6ead-4765-b59a-abbc743f315d/
SH256 hash:
8930f86b92202203c382296f7eb2445df52974e52f526d661b2b263f8a2a34d5
MD5 hash:
e3f59a94e4985db3acfab1976f72e409
SHA1 hash:
118fb9ab7ef97fb3c48a63a7e5f7463746cbfde0
Link:
https://www.unpac.me/results/5af52584-6ead-4765-b59a-abbc743f315d/
SH256 hash:
cda5025d5e56aa7c28bd60bc6313597503bcbbe3629d9042f1fc64e0ac4e5120
MD5 hash:
507ff1fdccb933027c58dbad190ba1e0
SHA1 hash:
7f04a8b9cae7a1443b6d0be3a35428df41e7a3cd
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/5af52584-6ead-4765-b59a-abbc743f315d/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/5af52584-6ead-4765-b59a-abbc743f315d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar bd2cf4ae32bb8ea13e97d2807806f150179290346dd13e2b6c1519fe0088864f

MassLogger

Executable exe 061e4c2aaf9eb384ce88acacafa133185ede67c01c1ad01d1949218e04901c6b

(this sample)

  
Dropped by
MD5 a6b12bb265205a4b6900d5b568ebe534
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/82924/
  
Dropped by
SHA256 bd2cf4ae32bb8ea13e97d2807806f150179290346dd13e2b6c1519fe0088864f

Comments