MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 310f5815e8e68ccdf1d75985e8fbbe6b3b9a6997155505d97066d75c6ab9ced7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	310f5815e8e68ccdf1d75985e8fbbe6b3b9a6997155505d97066d75c6ab9ced7
SHA3-384 hash:	2979bb341c560d3a39e858c633f8b3635f78de90411b6bf14fb480ac0b62a955d1179fc40eb204b8bb5de64c8f5ad267
SHA1 hash:	cc2d75450d3ea4dae5bf46d1954b92f0751df257
MD5 hash:	2887624a6e23f6acdf6e85872ef4d827
humanhash:	eighteen-eighteen-seventeen-grey
File name:	WGEQFc9wg2hwJ2r.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	906'752 bytes
First seen:	2020-11-07 10:23:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:AxkxOevyNRJJcdXQvA5qntLQFLvmsze1sImKXcbm/c8gscynnkki:mkxOzLJievA4ntLq1zeyxbmuSkki
Threatray	490 similar samples on MalwareBazaar
TLSH	FF15F17222A85F60E17EB778913114100BF1F552E736E60E7EE564CC29B2F849AB2F13
Reporter	abuse_ch
Tags:	exe GarantiBBVA geo MassLogger TUR

abuse_ch

Malspam distributing MassLogger:

HELO: mail.kordonweb.net
Sending IP: 92.42.37.134
From: Garanti BBVA <export@hayfirca.com>
Subject: Yurtdışına Giden Para Transferi (SWIFT)
Attachment: swift.rar (contains "WGEQFc9wg2hwJ2r.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Inject4.4383.4596.21105.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Deleting of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/523794

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/310f5815e8e68ccdf1d75985e8fbbe6b3b9a6997155505d97066d75c6ab9ced7/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-11-06 04:58:14 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gehvqfpi42gm34oxlgc6r656nm5zu2mxcvkqlwlqm3lvy2vzz3lq._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

265c93af05ea076407228de4cdfecc5e4052273610d35021afd1d0e72c81bb92

MassLogger

2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1

MassLogger

586eadfc1fef3d64e165d65502aa2e27ef8a4ab4079ac1e4d96d4f65e0126a6f

MassLogger

6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95

MassLogger

78a59829f0dd9b3ec88a68096284de67dd8806d3690d11f017f7b2893a98354d

MassLogger

88226f4130b8bf3dd02b00034d963478cb52d2f18cf4322baadfb26153d3e5c4

MassLogger

a94b1b1f02dbaf0895a93de9df8603115501866ce76a147cb2e4330b0894b928

MassLogger

b4c677c568152f925904f613d1361015ea9a07d105874411dc7962f57ebd7412

MassLogger

cfde16e103af9e59944d44d7f12e5755313948273cd64237df2dce50811866db

MassLogger

+ 480 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger spyware stealer

Link:

https://tria.ge/reports/201107-5tzl7epxbx/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Deletes itself

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

526b839fee99a77bd91e49ee8e3176cc930db28c636cfbded7806085a24a0843

MD5 hash:

bd969c641c77d1c46bc9b2c059990759

SHA1 hash:

0ca63959adbfcfa46e36efafb31713999d757bec

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/6f1d9e60-cdea-4ac7-a624-a3f34b0488ad/

SH256 hash:

1d3511938426a0e7e334cce2dd571e47514c6a8bfdc9d21d3830d3f5dd4654a0

MD5 hash:

5d0c44ef9c2d81dbafea18f7ac19f4ae

SHA1 hash:

3b3a906497c163c8f2309835d63e80c462b63b36

Link:

https://www.unpac.me/results/6f1d9e60-cdea-4ac7-a624-a3f34b0488ad/

SH256 hash:

3d8f7e79ab055b750c49a1fa207036435d74c37e85a74566e58db4454f989dad

MD5 hash:

ee3d4cd2a9adce77da285910d9e3a241

SHA1 hash:

6eb491bd73b57c79c27d5bd3f83d75af575b4947

Link:

https://www.unpac.me/results/6f1d9e60-cdea-4ac7-a624-a3f34b0488ad/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/6f1d9e60-cdea-4ac7-a624-a3f34b0488ad/

SH256 hash:

310f5815e8e68ccdf1d75985e8fbbe6b3b9a6997155505d97066d75c6ab9ced7

MD5 hash:

2887624a6e23f6acdf6e85872ef4d827

SHA1 hash:

cc2d75450d3ea4dae5bf46d1954b92f0751df257

Link:

https://www.unpac.me/results/6f1d9e60-cdea-4ac7-a624-a3f34b0488ad/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 5315833f08b411947e8156bc9d1a8406a5c8e2b182665c90847db6a9a98814a9

MassLogger

exe 310f5815e8e68ccdf1d75985e8fbbe6b3b9a6997155505d97066d75c6ab9ced7

(this sample)

Dropped by

MD5 97a19aee6f2f982abcebc19bb1871929

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5315833f08b411947e8156bc9d1a8406a5c8e2b182665c90847db6a9a98814a9

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample