MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 348acef68bed5a0d2f034135b22cedae642fe96251ab3d7ad150163403c3a145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	348acef68bed5a0d2f034135b22cedae642fe96251ab3d7ad150163403c3a145
SHA3-384 hash:	a9febe030840fad76a1163e0c962d9f454702570fa67a600948eda8e33c0090e1daab4ab0a147c68346e5e9809e67e3f
SHA1 hash:	d234788d8649da8196fa8e751dcd6e130e8e206a
MD5 hash:	9308faccd859418beb5a696d70329f9a
humanhash:	quiet-maryland-louisiana-may
File name:	Halkbank_Ekstre_20200521_082357_541079.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	996'352 bytes
First seen:	2020-10-17 06:54:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bd0ccfffe29beda9bfd332e673d3d4c7 (3 x AgentTesla, 2 x Matiex, 1 x Formbook)
ssdeep	24576:UYCQtllJ06DAvEObaoeUlZmY7tBfxZ9EbiqnKm:UfilJVDAR3lHBfT9gii
Threatray	16 similar samples on MalwareBazaar
TLSH	1B258C11AD9D7472D5D114BF023CAEB30B990CFA060F6CA7778A2B5FB5E6680D718623
Reporter	abuse_ch
Tags:	exe geo Halkbank MassLogger TUR

abuse_ch

Malspam distributing unidentified malware:

HELO: ne.netbotixapi.live
Sending IP: 45.95.171.134
From: HALKBANK.E-EKSTRE-halkbank.com.tr <info@netbotixapi.live>
Subject: T.HALK BANKASI A.S. 01.01.2019 - 16.10.2020 Hesap Ekstresi
Attachment: Halkbank_Ekstre_20200521_082357_541079 3.r00 (contains "Halkbank_Ekstre_20200521_082357_541079.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.KillProc2.13324.27662.17166.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Launching a process

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/494309

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/348acef68bed5a0d2f034135b22cedae642fe96251ab3d7ad150163403c3a145/

Threat name:

Win32.Infostealer.Maslog

Status:

Malicious

First seen:

2020-10-16 21:28:14 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gsfm55ul5vna2lydie23elhnvzsc72lckgvt26wrkaldia6dufcq._file

Verdict:

suspicious

MassLogger

16fda49dd0a5b3c520619c1f5e88723cd2fe0c92b9cc2946416b2e29a1ccdfff

MassLogger

46e5baf1b4d81819842fa7145a3ec446d956fedbafb1a3d36d77ffa06dbfcb74

MassLogger

47602d03fd9625c7212ea4b5dbb919f587f4e5d5c3eedf58304bf5a851beac9a

MassLogger

4a40496f800e2a11c1e2a12176d062b59fe536f18fb236f98e66231448aaa2e8

MassLogger

a4d0e327754a32781d1c9a2ab27f879e9f0cc0b7c5712fa67dfa4b0f9cf54492

MassLogger

a76869f6ece56a889175cb2cebdb60e4a24025184ebeb7fa9c6210668eb023fe

MassLogger

ce0e9c38f501c41244755438857cf76ab25727502b344c65d30075ff3338f43c

MassLogger

d32af58205d0773daf139d13738f918e03f4d30439086b6eda0dfceef3369b58

MassLogger

d57b7809ae71b779b00aa2e7e3b55c3ff6c210453e19a872489e330285031ed3

MassLogger

+ 6 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

stealer spyware family:masslogger

Link:

https://tria.ge/reports/201017-yhnm4j521x/

Behaviour

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

686407f778d23f04014be451e173786efc79644f812ff0297891b73e8f765154

MD5 hash:

6f83852f99c3a922740b159813d4962b

SHA1 hash:

80047399dd0bcdbaf1f5e443c9ebcac29c3127fa

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/4d7705c6-4e78-4d77-9563-6abcb490844a/

SH256 hash:

348acef68bed5a0d2f034135b22cedae642fe96251ab3d7ad150163403c3a145

MD5 hash:

9308faccd859418beb5a696d70329f9a

SHA1 hash:

d234788d8649da8196fa8e751dcd6e130e8e206a

Link:

https://www.unpac.me/results/4d7705c6-4e78-4d77-9563-6abcb490844a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/348acef68bed5a0d2f034135b22cedae642fe96251ab3d7ad150163403c3a145

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 0acf32b7f43ea4ee1b1fb0119f570d3422363a64626fc8afab8e6ede5a1aa2cd

MassLogger

exe 348acef68bed5a0d2f034135b22cedae642fe96251ab3d7ad150163403c3a145

(this sample)

Dropped by

MD5 14152cf570b27475e783c0388fc5ff07

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/72468/

Dropped by

SHA256 0acf32b7f43ea4ee1b1fb0119f570d3422363a64626fc8afab8e6ede5a1aa2cd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample