MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 383c5be68c83202fd20ce29fe47dc6982229ae6bc87349c44216d875554c1d17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	383c5be68c83202fd20ce29fe47dc6982229ae6bc87349c44216d875554c1d17
SHA3-384 hash:	26d5010992e5f0508b75a871135f54ac68a1d70f9214e062106d9caebb22004fa707e9b5a909e5c078cd18d98eab8d43
SHA1 hash:	50e22b315ae950f8d58bb0719c4bbd378f58b379
MD5 hash:	e0e5f2e6fe3a03a0f20d87a40261668b
humanhash:	river-indigo-wisconsin-vegan
File name:	Datasheet.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'006'080 bytes
First seen:	2020-07-03 06:13:55 UTC
Last seen:	2020-07-03 06:51:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	24576:n8VoAJE+mNfFCuYRlF+zxngwiVv/jaqLxd2/nBd:8VFJEPzCBwya6X2Jd
Threatray	602 similar samples on MalwareBazaar
TLSH	5725E0C032B64B56DABA43F74A72980047F6B97E253ED3594D8770EF95A1B100FA1B23
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: msa-smtp16.hinet.net
Sending IP: 168.95.6.66
From: <cytina.chiu@msa.hinet.net>
Subject: 产品咨询(RG25LGSJ) - WITHCHEM 韩国化学贸易公司
Attachment: Datasheet.gz (contains "Datasheet.exe")

MassLogger SMTP exfil server:
mail.mkontakt.az:587

Intelligence

File Origin

# of uploads :

2

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.56498.1171.23519.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/383c5be68c83202fd20ce29fe47dc6982229ae6bc87349c44216d875554c1d17/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-03 06:15:09 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ha6fxzumqmqc7uqm4kp6i7ogtarctltlzbzutrccc3mhkvkmdulq._file

Verdict:

malicious

Similar samples:

00168316f03e50b7cf516c090729a168491ff2bf8f3538abc8f64489c86ebd8b

25fc942b81a074fe6b40b2f817fb87d28a54949bf604e54c414c890a351b83e4

60464dbfb4a5cb7227d3afe20367adb84757365e1b9a466ef95c0c96c28b31cf

64ac97cf73567009fd4ea4707b2c0ac2917c74842a81bddf874889d772bf9146

77308f79f7cb15139144f338622072fe4adab5f73debb682a349fbee8700c4ed

93a1f0fa0637acd096c86ec4d7d3c6f73f689bf41f3cd16b5e5bcce48dcdc540

9c7b335e031c3c2fde1e7d75cbe08bd0951b0cb8a327fa4bd3e54c4c59d32936

a39ea4510d732392bba8682a020321dc7dfa259387244117cc90e072fea20c82

c9dcd1d7470488ed72d4a673592ab0c4684124dc7e69bb903d47d6a71ffe42fd

e5a67f4da5b8e9ecd086bfa4f6b8e49843656d2dd8adba4840ee9cf46da3054e

+ 592 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200703-8vlhpqxg8n/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 3d54e41c4973aec92d7198e866c45e9d50bf81d52afe85e378f8266e87e75f94

exe 383c5be68c83202fd20ce29fe47dc6982229ae6bc87349c44216d875554c1d17

(this sample)

Dropped by

MD5 fb971260a1374b48bc1db5b60a80f627

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3d54e41c4973aec92d7198e866c45e9d50bf81d52afe85e378f8266e87e75f94

Cape

Cape

https://www.capesandbox.com/analysis/18580/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample