MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35f2b564b92926be5ad794706e1acb2ee4b0b0972ccdeeaa71551ff12e546fd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35f2b564b92926be5ad794706e1acb2ee4b0b0972ccdeeaa71551ff12e546fd5
SHA3-384 hash: 52cafc81f0a678b21b1f8a787a1323760cd138c80b2260884a07ade9ea83c5ddf9989d0bf47626289ae3703127739025
SHA1 hash: c7f4508e9506f3ffd4374b1868641c7d101fbca5
MD5 hash: 2219b366a9ef1717d8156fe30323723e
humanhash: california-wisconsin-summer-artist
File name:uA8X4cCaArMOkx7.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'074'688 bytes
First seen:2020-10-21 08:56:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:1VfohziZrjJNET0K9bzmy8ooqsqu0Qs0ZH7tqH0kr1q7Y:1Vfohz+s00b+5qsiQxRqHpq
TLSH 3C35129A7204B2FEC81FC271DB445C50FB406EBA53AB46039513BAED59BD98ACF141F2
Reporter abuse_ch
Tags:exe geo MassLogger TUR ZiraatBank


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: srv1.demspor.com
Sending IP: 31.169.94.221
From: ZIRAAT BANKASIil <ziraatbank@ileti.ziraatbank.com.tr>
Reply-To: ZIRAAT BANKASIi <ziraatbank@ileti.ziraatbank.com.tr>
Subject: 4000, EUR Swift Bildirimi
Attachment: Ziraat Ba..esaji pdf.rar (contains "uA8X4cCaArMOkx7.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73923/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.13288.17617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505472
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35f2b564b92926be5ad794706e1acb2ee4b0b0972ccdeeaa71551ff12e546fd5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 06:27:44 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxzlkzfzfetl4wwxsryg4gwlf3slbmexftg65ktrkup7clsun7kq._file
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
stealer spyware family:masslogger
Link:
https://tria.ge/reports/201021-3xak4lhgqj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
35f2b564b92926be5ad794706e1acb2ee4b0b0972ccdeeaa71551ff12e546fd5
MD5 hash:
2219b366a9ef1717d8156fe30323723e
SHA1 hash:
c7f4508e9506f3ffd4374b1868641c7d101fbca5
Link:
https://www.unpac.me/results/362a8ab3-e733-4b37-8725-2272cfa3f4e5/
SH256 hash:
aa9f8b3f3a42d6d3c6f5ecb49cad04c104ea1458f3b4871f91aeed3f2ad4f40b
MD5 hash:
05136d5c668d533cd9851b7ada91d826
SHA1 hash:
24e38305c8d422df7dae3b288bc56dc3e3130117
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/362a8ab3-e733-4b37-8725-2272cfa3f4e5/
Parent samples :
ae5707f5f0a688fe98d545b88eb0fafcddc9ac9719bc381f3394681c20af59b5
35f2b564b92926be5ad794706e1acb2ee4b0b0972ccdeeaa71551ff12e546fd5
SH256 hash:
f7ee6de22886d550bb895188109f83fab591778194d541e7b8ba3bdf86536fab
MD5 hash:
4dfc1d2462fa39cbe64693c5c52b0be9
SHA1 hash:
30fd5058bec5b8acaf7c24c6f282c0f5271bc8bd
Link:
https://www.unpac.me/results/362a8ab3-e733-4b37-8725-2272cfa3f4e5/
SH256 hash:
a0f9278f5cbbda83db8bfb6b17e8e859b3f58d7accd21c560934b3712b97bcdf
MD5 hash:
04d40660ac96d0b0c04aea038b379c79
SHA1 hash:
d4c5caf248b0c44732d71b6676e64fc928e50f35
Link:
https://www.unpac.me/results/362a8ab3-e733-4b37-8725-2272cfa3f4e5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar dc8b787d8146b1014359b22bcac287d8b23f62f77c186ee5ac3fa744b4a7842f

MassLogger

Executable exe 35f2b564b92926be5ad794706e1acb2ee4b0b0972ccdeeaa71551ff12e546fd5

(this sample)

  
Dropped by
MD5 81e6cb12d1d47f5d9765540287b0990e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73923/
  
Dropped by
SHA256 dc8b787d8146b1014359b22bcac287d8b23f62f77c186ee5ac3fa744b4a7842f

Comments