MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bb9226c32e2505fc4f25a368e909afd29152096ac001aa604eda6ca16b34a3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bb9226c32e2505fc4f25a368e909afd29152096ac001aa604eda6ca16b34a3f
SHA3-384 hash: f648f91e3c8bfd38f1232515d3912d423e0d14057e4333e56447ae224ca001726f56d5a11a7d7451db1cdee84b86dc51
SHA1 hash: aadcf85bdac1ca3daa3ce64af64984492b2a19d7
MD5 hash: 13dac49a8fa76b2c8839783922398ea2
humanhash: cat-cat-nevada-golf
File name:PO 858639 vendor.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'034'240 bytes
First seen:2020-11-20 07:38:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:Mgk3UAaPAje5UxqmDW4HUYRWvqZEsq+a5SD8B:M5kAaPAjs1mDpUYRWvqZEsqF5S
Threatray 545 similar samples on MalwareBazaar
TLSH 3525CFAD3694769FC827CD76CDA41C60EBA174B7472BC247905315ACAE1D98BCF202F2
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: veeco.com
Sending IP: 101.99.91.207
From: Jill Shelley <JShelley@veeco.com>
Subject: New Order #858639
Attachment: PO 858639 vendor.rar (contains "PO 858639 vendor.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Result
Gathering data
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/543983
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321092 Sample: PO 858639 vendor.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 88 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected MassLogger RAT 2->23 25 4 other signatures 2->25 7 PO 858639 vendor.exe 3 2->7         started        process3 file4 17 C:\Users\user\...\PO 858639 vendor.exe.log, ASCII 7->17 dropped 27 Injects a PE file into a foreign processes 7->27 11 PO 858639 vendor.exe 2 7->11         started        13 PO 858639 vendor.exe 7->13         started        signatures5 process6 process7 15 WerFault.exe 23 9 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bb9226c32e2505fc4f25a368e909afd29152096ac001aa604eda6ca16b34a3f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 21:16:24 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bo4se3bs4jif7rhsli3i5ee27uurkiewvqabvjqe5wtmufvtji7q._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
5057b3e15343b23d956143c48a195f14e8fb991f5eaaec694ea3edd04419455b
MassLogger
5dd47f464bc8ffd53265830f42bd4e1bdea24f88f6eaab97896cf52a4c162f20
MassLogger
85e74e088eaf61b95d366932ff738a2c100eef6f07960860028af7d789063330
MassLogger
a8823b9448d287d781bfaa8eb6b974ed4298a2fb73e6ffc2b9327d8943d238ba
MassLogger
ba35ef227636d6968eeada03534fc58057ffc2514eb120dd4e3326c0a84dafd1
MassLogger
bde085b89e6e50618b1f38f6d889bf9554b11d0a08a82a315e0a66fec7718daf
MassLogger
d0f1b190868c2b25c602e6eee551a39fe677678d6e7dc45eb304fa82a5760799
MassLogger
e8fedfa7d06811f116ce712ea9e2c96918bc4e168105e092354ebd5f708319b7
MassLogger
e97151ce51e9463bd45ad41571141614fc0ffc8a8cbf2c74f36c20028a769f41
MassLogger
eb7f7ea77d9a66362658c953803f13d91e0111e95bb199207f40db3eaea2a03d
MassLogger
+ 535 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/201120-v7twzw8262/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
ServiceHost packer
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
da83bbcab430f445e9aa596ab56807c13cb93c6f237570f06f30005b324106ed
MD5 hash:
04ac10b3592c9694bf59a51f31c8b239
SHA1 hash:
16ccad5aa6f5e450d24b9e70063dfdba345ce940
Link:
https://www.unpac.me/results/e9d1015b-d6fd-449b-9f0c-702e6a1a4b8f/
SH256 hash:
0bb9226c32e2505fc4f25a368e909afd29152096ac001aa604eda6ca16b34a3f
MD5 hash:
13dac49a8fa76b2c8839783922398ea2
SHA1 hash:
aadcf85bdac1ca3daa3ce64af64984492b2a19d7
Link:
https://www.unpac.me/results/e9d1015b-d6fd-449b-9f0c-702e6a1a4b8f/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/e9d1015b-d6fd-449b-9f0c-702e6a1a4b8f/
SH256 hash:
afc0a1e907704b209ca98d8350dad51450e22d5823419ad5ed404223a1b5a40a
MD5 hash:
8108cdcf8916735fb923dbc39775f6ac
SHA1 hash:
39a26279bb906d5e90c7e1db500258cc69aa2b91
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/e9d1015b-d6fd-449b-9f0c-702e6a1a4b8f/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/e9d1015b-d6fd-449b-9f0c-702e6a1a4b8f/
SH256 hash:
96981afe9a6bf23c92467685fe0f0bb3a378ee6d29612fdef9c71a87462a5872
MD5 hash:
7f61f42b59a93428807081b4b2f65fd8
SHA1 hash:
7dcec5cc555b73a641e754e007046c72a2eb3202
Link:
https://www.unpac.me/results/e9d1015b-d6fd-449b-9f0c-702e6a1a4b8f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 5b3b6f608cdabbb7166b7462f5becb29723c908584b643a6cda21a27d1a6ece7

MassLogger

Executable exe 0bb9226c32e2505fc4f25a368e909afd29152096ac001aa604eda6ca16b34a3f

(this sample)

  
Dropped by
MD5 08ded15be65e130d2c8cc3789e173267
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5b3b6f608cdabbb7166b7462f5becb29723c908584b643a6cda21a27d1a6ece7

Comments