MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c
SHA3-384 hash: 0fe8002df7c0c1a4087de7b4ca7d9d8d048f989b8959706b639efab24ebbea2faf7af382a9d5057862618ab064a75808
SHA1 hash: adf5fa1d936d535c3e2248069fa19be135b395a4
MD5 hash: 73fa431487133088561f82eb6b52fdd5
humanhash: video-romeo-neptune-xray
File name:73fa431487133088561f82eb6b52fdd5.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'781'760 bytes
First seen:2021-02-28 08:43:02 UTC
Last seen:2021-02-28 10:48:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:fEF30qoD45kCnXOXC4rHxeKr1XXLcB/pi/oupFpLDno:2oDfcebj0KrI/pi/RLpf
Threatray 49 similar samples on MalwareBazaar
TLSH 4585AD06A522D891C7D02672439B8CB80361FD66BDDFE35A2A7C33176463DF68E07396
Reporter abuse_ch
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
936
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
73fa431487133088561f82eb6b52fdd5.exe
Verdict:
Malicious activity
Analysis date:
2021-02-28 08:55:35 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/adeb7e89-327b-483c-a901-f390fec4d893

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119996/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36415916.27208.20087.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/620872
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-28 00:03:56 UTC
AV detection:
5 of 48 (10.42%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2cd722bc4e448f38f4e79e69a48a7fc3f92c09586e50bc0f3f9f8dc5f4495fcc
MassLogger
3f9b5ecaed880f50c6bee7504768aa9f362326666ff2197cc487f0707bff56fa
MassLogger
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
MassLogger
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
MassLogger
6e0f67620da1ee82c0cfc0c166f2a027fdd8af9c8f4622952b19bed41de60b7b
MassLogger
a2c3a1451cbc854d4b5929132eb96e9e34b2a1f3bedb490b26699381bb80eeee
MassLogger
ae1101f81ed495b405d0f80d678da0a6eff8e2f9c432734302ffb764b215de0a
MassLogger
bbc467be402fa10957b329f79484dd0dfbf30ca52ed4275f0fa2085807786f5a
MassLogger
c74a02a5fb3879870c5c5b0ead39c54dffd97ee414cae94360c6dd12d9d023ae
MassLogger
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
MassLogger
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
agilenet discovery spyware
Link:
https://tria.ge/reports/210228-7vafd1q82n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c
MD5 hash:
73fa431487133088561f82eb6b52fdd5
SHA1 hash:
adf5fa1d936d535c3e2248069fa19be135b395a4
Link:
https://www.unpac.me/results/7a01bb9f-6fd7-413c-bed9-c14cfda90929/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

Executable exe 0ebfb9888d15c1377eb933a088f7aa3dd228523ffee36d7f8718c49d976dab6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/993438/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/119996/

Comments