MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769
SHA3-384 hash:	2b63d29ad17aab813ce4d3c4e7d48ab7ab71d6d8cd516369e6868fd51075364d4bf6717dcd670c6648c7c057baab167b
SHA1 hash:	b42b7e0198f042555daf23056b32dd1e8fc31fca
MD5 hash:	7b6da1a64da2889e2b5abaf3c3bcfa2e
humanhash:	video-white-nine-mango
File name:	TF-37019317047324.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'177'088 bytes
First seen:	2020-08-10 09:49:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ce9dc34dcdc6dcac1abc92d3ec049de7 (11 x AgentTesla, 4 x MassLogger, 2 x FormBook)
ssdeep	24576:n4UOaeCWal93GVRLEBMp9NFSUl5YPud67stC+6YG165Je8yNSry:nnWM9kRLEBMPS+67s0v65Je8yYry
Threatray	2'049 similar samples on MalwareBazaar
TLSH	E245E126F2E04837C367DA3F9C1B5267982ABE51392469852BE45C4C4F397B43C252BF
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: g5ps.com
Sending IP: 185.222.57.136
From: Noufal Alzaher <noufal.alzaher@g5ps.com>
Subject: RFQ#20192627
Attachment: TF-37019317047324.cab (contains "TF-37019317047324.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/42642/

Detection(s):

SecuriteInfo.com.BScope.Adware.Kraddare.1524.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Running batch commands

Creating a file

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/416697

Signature

Contains functionality to detect sleep reduction / modifications

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Maps a DLL or memory area into another process

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-10 09:51:13 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dkgylillzre3gparjcnpqi77f4k4viy6znqwgmf3kssmuwzgc5uq._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

MassLogger

3fd662d7caf82ecc8b61b4fa261bc51510851aa36099a85f66c2689c507e11d7

MassLogger

4c8728146976e30a09321d1e158aeeb46908c54fa8614ccef7fbc9761956eca4

MassLogger

5bcbbf82aa7c1bde8cddd6a6d50b4b082555ddb0dd23dd468ef238850238ed2a

MassLogger

6cf454ec0892e0367356ae674e93612f1c23d9c99874d8ff7de7d77055cbf9c6

MassLogger

785b500d98d194c034b9c371eee464210f08aae5d83829c6262b713c3bb57a6e

MassLogger

a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

MassLogger

a9f8d8a5503dca2d63d36e17041e6d065a6bf7bad41c000dd6d5a1e73d18d786

MassLogger

b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31

MassLogger

c7202ac90daa5d696736a32eff2c930eba08332c9416ff6a464ce3ea17f414f9

MassLogger

+ 2'039 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware upx stealer spyware family:masslogger

Link:

https://tria.ge/reports/200810-ggf9ktb5v6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

UPX packed file

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

cab ad812e351a0919d09ca9e87307d63cd0fbe78675a7777fc51bf1b57ef5142836

MassLogger

exe 1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769

(this sample)

Dropped by

MD5 06337bff848185dfabc3ec41e643b2a6

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 ad812e351a0919d09ca9e87307d63cd0fbe78675a7777fc51bf1b57ef5142836

Cape

https://www.capesandbox.com/analysis/42642/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample