MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dbbc7c4da00acd7ae17d3b37197cd559412d779024efd6fff22e35852a33619. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	1dbbc7c4da00acd7ae17d3b37197cd559412d779024efd6fff22e35852a33619
SHA3-384 hash:	be5bc5388c61b5d83e52e266a055622a6de604af4686652fbc39d9c0f24037efba173c4d570a22620b8f1cd45bdc8cee
SHA1 hash:	85b9f77eccb7f413b79216c6d5cd6f0dc2bb878c
MD5 hash:	98539cd496816d584ee3b71988fa3df8
humanhash:	alpha-oregon-winner-red
File name:	EFS QUOTATION LISTS #09172020.pdf.scr
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'043'456 bytes
First seen:	2020-09-17 11:35:52 UTC
Last seen:	2020-09-17 12:38:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:vbLu0mLFPuv2zv1gVzYx8DC3+qZWvQvcA3s6V9oqodtT6QNKXQwhUPe/+ykONWxM:vfup52VnmdYYvF3LoP6QNKXQyC2LS
Threatray	230 similar samples on MalwareBazaar
TLSH	9225AC232238FEA2F92C77F4E02589111FEEAC468627F6653DBBF1F95877A404351252
Reporter	malwarelabnet
Tags:	MassLogger

Intelligence

File Origin

# of uploads :

3

# of downloads :

89

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.424.9591.11854.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/469008

Signature

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1dbbc7c4da00acd7ae17d3b37197cd559412d779024efd6fff22e35852a33619/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-09-17 03:50:01 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dw54prg2acwnplqx2ozxdf6nkwkbfv3zajhp2377elrvquvdgymq._file

Verdict:

suspicious

Similar samples:

234b2c300af5e4ac2001332e07c2e54bd48dac174cf8b5d0c486a3cc6076043c

59266059bf9ed1325138907f3f74f4838600be78e310b8165333935e18817d5a

669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9

9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

9f0866780aa84107697212f1b3578777c450861c02a6e01f5741de28c858900c

a920f6bd5e8cf8734daa7aa6b0a79b3edc9725c436f5b6bdec9a7490792c8298

d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb

dd652810ff0fc0288768ac20d5fcc76f7bc517c3ed8b066a18340a8b69c69c3a

e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0

f784d412a56ccd414525c22e6b2e7c9482040e89be20fdb1f2e4db0016812ea7

+ 220 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200917-h9qa95eytj/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1dbbc7c4da00acd7ae17d3b37197cd559412d779024efd6fff22e35852a33619

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 1dbbc7c4da00acd7ae17d3b37197cd559412d779024efd6fff22e35852a33619

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/62842/

URLhaus

https://urlhaus.abuse.ch/url/545115/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample