MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 081205a1e12ae85fc98b3bde78035af672a04a90f0dd11eaa564510a83ab0c4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 081205a1e12ae85fc98b3bde78035af672a04a90f0dd11eaa564510a83ab0c4e
SHA3-384 hash: b7676712ae168666c3cda8ade7c9a9aa369a318ebeda2fdb2e04146cf0be6452360a103168955626f2e4a56b21d2a8cb
SHA1 hash: 885fb04a3113493b8b2f92ed24bd063836a1792c
MD5 hash: 3324bd828b730d94e85093ac722c836a
humanhash: seven-kentucky-thirteen-virginia
File name:NEW ORDER ENQUIRY#58632011-pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:914'944 bytes
First seen:2020-10-12 14:50:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:lOHVywgE5+aCAgwVWhy4TjkJOl+MG2Hx3Kei4g9cz1ZPVxXXvy6Con:lSV/TQqchPosllBHlC4g9cz1Z/7
Threatray 212 similar samples on MalwareBazaar
TLSH 6C157DF139CE587CE62A073191B6A4C3F63E22C73F588A0EBA5B430C1E16657971625F
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: rocasoft.es
Sending IP: 85.214.213.118
From: Anabela Carvalho <anabela.carvalho@sameca.com>
Reply-To: Anabela Carvalho <baeutyslondon@yahoo.com>
Subject: NEW ORDER ENQUIRY
Attachment: NEW ORDER ENQUIRY58632011-pdf.7z (contains "NEW ORDER ENQUIRY#58632011-pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.cc.2676.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Deleting a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488590
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/081205a1e12ae85fc98b3bde78035af672a04a90f0dd11eaa564510a83ab0c4e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 11:00:59 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bajalipbfluf7smlhpphqa226zzkasuq6dord2vfmriqva5lbrha._file
Verdict:
unknown
Similar samples:
05d567307393895ec32ac3ba2baade59a8a4bc95795fb15045c5c1b3569f95df
MassLogger
0edc105e9bc4e9b297487650e45b6ee0b0ca1e97e2194a2b455d657e428be977
MassLogger
4323dbb489f82a5a4906fbc6e0dc37a6589dc7b073f2fa0a569b7d3409314e15
MassLogger
8878c46875d3b0d420bd76508490e5c6df7a55359d1d039f0edb145e836addb1
MassLogger
914712c702b94abb26e0d1edbd54712d62a2fdb6cfbc9bd41ac8bcb84296358f
MassLogger
a4b6103b1dfe717301995f598b140b0ce26e7a1541f45b6ed6485c05dca2692a
MassLogger
bd959929f72ad78adfc193a1b6f3951a41cb2fd273e97680ca41030c7c4ad271
MassLogger
e32078ed47237d3dcd08fdd721bf3d65c84d62f5fd7d33719381418b13425b0e
MassLogger
f4e60792b136f02c28fd35322ee58bf723aeaa3611d286417d8b2b0707612cdc
MassLogger
fbe07dca7476dba15e9dd639c2b5a71c6bbdf21b0f50ee1fde6aa5bc13e19243
MassLogger
+ 202 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201012-clhw7c9shx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
081205a1e12ae85fc98b3bde78035af672a04a90f0dd11eaa564510a83ab0c4e
MD5 hash:
3324bd828b730d94e85093ac722c836a
SHA1 hash:
885fb04a3113493b8b2f92ed24bd063836a1792c
Link:
https://www.unpac.me/results/0e1a5bb9-de81-4691-9d1d-e17cee5fb851/
SH256 hash:
30140c3bf5874d7d184b15513016f9de1524ae95a5efe9a1cb15bad6d6936d64
MD5 hash:
03847d82611bc6461cbb99ca768828f1
SHA1 hash:
39859a3fd3326520dfd1ed10456bb227933a8871
Link:
https://www.unpac.me/results/0e1a5bb9-de81-4691-9d1d-e17cee5fb851/
SH256 hash:
89aa143c91d8cace96581d1ad1e4a67060238498168d9e412227019a838574a3
MD5 hash:
beadcc53a3524ce380a7b07b4da47d57
SHA1 hash:
7014b2381ef1ca0f0c8f1b0884315260dc73932f
Link:
https://www.unpac.me/results/0e1a5bb9-de81-4691-9d1d-e17cee5fb851/
SH256 hash:
4835c83f148dce26fd2433c44b600ee273b06193e532f5f84397edeeeec4def7
MD5 hash:
38fdf1cf5b51e92de886bea21f1bce06
SHA1 hash:
82ffdebbc287b3d4e15023eb7735afbe30373de4
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/0e1a5bb9-de81-4691-9d1d-e17cee5fb851/
Parent samples :
081205a1e12ae85fc98b3bde78035af672a04a90f0dd11eaa564510a83ab0c4e
779ef456127a144ebaa7485d4109add0574ec267fc350d4d3493d77631a56fde
2ab05797cf729e2a8c82cdfee67089f8378297c3b21379d11465207e681f2d1e
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/0e1a5bb9-de81-4691-9d1d-e17cee5fb851/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/081205a1e12ae85fc98b3bde78035af672a04a90f0dd11eaa564510a83ab0c4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip f75fb015fc7f952976c2035a68a790423129f93e905b50fd9af0267fdaef46b3

MassLogger

Executable exe 081205a1e12ae85fc98b3bde78035af672a04a90f0dd11eaa564510a83ab0c4e

(this sample)

  
Dropped by
MD5 16f34aefae22e6c681287d3086c5ee1a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f75fb015fc7f952976c2035a68a790423129f93e905b50fd9af0267fdaef46b3
Cape
Cape
https://www.capesandbox.com/analysis/70135/

Comments