MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4
SHA3-384 hash: b8ecb4fc365c65ef484cc7ff2a78c927057281237afef6fe59fa88a79cadf8131fdd808c9a9b7c2c33090dea51c81267
SHA1 hash: eabc80e887de547dc8dd16d4d0a515df48f30791
MD5 hash: 7ba9c730b33fd37be0eec329aabeb6a0
humanhash: mississippi-helium-lactose-neptune
File name:Ziraat Bankasi Swift Messaji.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'353'728 bytes
First seen:2020-07-13 11:12:32 UTC
Last seen:2020-07-13 12:01:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:HTuZ7ESG7DEwqAj0hFZm8LbltfjLoA1TRRXAglVxvovRNKDtpaewDCIeWB:yRESG3EwSI83/rLoKXHlV8RNKRwRO
Threatray 1'084 similar samples on MalwareBazaar
TLSH 3455083A7982D469C5191636C4B85CC0B7A5768A3796CB1F30CE13485E03BAFFF075AA
Reporter abuse_ch
Tags:exe geo MassLogger TUR ZiraatBank


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: ileti.ziraatbank.com.tr
Sending IP: 45.138.172.32
From: ZIRAAT BANKASI <ziraatbank@ileti.ziraatbank.com.tr>
Reply-To: ZIRAAT BANKASI <ziraatbank@ileti.ziraatbank.com.tr>
Subject: 3000, USD Swift Bildirimi
Attachment: Ziraat Bankasi Swift Messaji.r00 (contains "Ziraat Bankasi Swift Messaji.exe")

MassLogger SMTP exfil server:
mail.alestayachting.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WUR.21401.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 11:14:07 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdnmbvu6gzw3jtsxucjv2vqz4s6ox7f2vhyuw5qys4gmfkvfel2a._file
Verdict:
unknown
Similar samples:
0785384b7bf97e6d74ac22ce8a6ba6cd629d858dd778928f6a4eac974c35cf61
MassLogger
12c7ff58c14c67fa84752c1b136860c7c621ccf8cd947183f6b1c918b4c8c737
MassLogger
2467434b0ac840b5f4dfa8ac3bc14ac9ee6004e7b71bfd3303ab62b6345f0c62
MassLogger
4193084a6eba68bbb6aef41ffc1f21685208c6b942de9e5853b70b04834c296e
MassLogger
540a1ab8a63b1b07ea3d80939868a94dafb79f6e2fc37a8a2cc22ded21c60deb
MassLogger
824f3b6b2f801742c68deb29ccf2347f591c5d04262dc1ad9efcb756be99ea25
MassLogger
c93d6c966b427a7fbc632d2f6b39a09df059b56e0c4e4a307b0318c4198219c5
MassLogger
d7269fff7321b7254a2a6ce7e6fb9b8347d73cb78597d73412b8d21344832e81
MassLogger
e3b22f7b9f72b19b41dfe024803aeeaa88d0072a3e10a5bea82413285721c91b
MassLogger
e9ca08e9192adcb0c65eae06bbc2ba1439b2615aeefee53a7cb26f15d691c071
MassLogger
+ 1'074 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
stealer spyware family:masslogger persistence
Link:
https://tria.ge/reports/200713-r3xn39kg7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run entry to start application
Looks up external IP address via web service
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
MassLogger log file
MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 7cfbde8e87809e872fa1dc3d178d4644cf19e921534c746c05ada8a7bc573d17

MassLogger

Executable exe 30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4

(this sample)

  
Dropped by
MD5 5fb92ca8d14f90f4fec0016841ea1bc4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25200/
  
Dropped by
SHA256 7cfbde8e87809e872fa1dc3d178d4644cf19e921534c746c05ada8a7bc573d17

Comments