MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a174a8823aea425c1e4faae5879a783f18df206c436d12995e015448428caa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a174a8823aea425c1e4faae5879a783f18df206c436d12995e015448428caa3
SHA3-384 hash: bfce3d0c13959c7c171144dfbe2a64cf317ce2db2f57964877850c4d1c52c2908d2b880fcd1c8899dcc8be18e2c99b47
SHA1 hash: 083ad213dd1443eea25f267f270c3f026a889044
MD5 hash: 6c9c19ecfb3a2a66ed8ea54b39c15acf
humanhash: twenty-lactose-mango-triple
File name:Swift Email Bildirimi pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'266'176 bytes
First seen:2020-10-19 07:24:34 UTC
Last seen:2020-10-19 08:24:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'471 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:7Jikat8WoYFolxxZBzn11t/ZMXpAXxNNa2A1GUKzodG:QSWodxZF1DxMu/Na2ANKzo
TLSH 9045AD5023F80B19F17B97F5922410419BB6BA9A143ED24CBDDD35DE6F72B010AA3B27
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: server.hostagen.com
Sending IP: 185.255.93.151
From: trust@al-tuwaijri.com
Subject: Bank transfer swift document
Attachment: Swift Email Bildirimi pdf.uu (contains "Swift Email Bildirimi pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72782/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.26167.9463.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Launching a process
Sending a UDP request
Creating a window
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/494996
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a174a8823aea425c1e4faae5879a783f18df206c436d12995e015448428caa3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 03:31:16 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hiluvcbdv2sclqpe7kxfq6nhqpyy34qgyq3nckmv4akujbbizkrq._file
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
stealer spyware family:masslogger evasion
Link:
https://tria.ge/reports/201019-stqpyk3792/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
3a174a8823aea425c1e4faae5879a783f18df206c436d12995e015448428caa3
MD5 hash:
6c9c19ecfb3a2a66ed8ea54b39c15acf
SHA1 hash:
083ad213dd1443eea25f267f270c3f026a889044
Link:
https://www.unpac.me/results/3f3ad1fb-1ef5-4cb0-960b-0681ae7ea701/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/3f3ad1fb-1ef5-4cb0-960b-0681ae7ea701/
SH256 hash:
9679ba3059a9c8c9d7c01f5e7315fe8154a5d01ccb83af86bcccd7db54b28b7a
MD5 hash:
db3b74baf00806326c9b452916edaca5
SHA1 hash:
2876730beb5d29ec36619a8f02e088a5912d0df9
Link:
https://www.unpac.me/results/3f3ad1fb-1ef5-4cb0-960b-0681ae7ea701/
SH256 hash:
f4d2bd5b76da73dc177e59130854387ec549ac8f7b3a5f150779515f588636b1
MD5 hash:
6488d0927bf6d6ee1dd949cf298c80cb
SHA1 hash:
c8e73bdab10d6bc3462d2a6c122d229c910d7e04
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/3f3ad1fb-1ef5-4cb0-960b-0681ae7ea701/
Parent samples :
3a174a8823aea425c1e4faae5879a783f18df206c436d12995e015448428caa3
4391d0f7038e267c0b8603c0ae2969f6070ad3a2653387fff68038c03f945012
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a174a8823aea425c1e4faae5879a783f18df206c436d12995e015448428caa3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 4abbff8d3ab24b4daf1dda74369e769ef1c277adf9d73041ffbd0c186fe606bf

MassLogger

Executable exe 3a174a8823aea425c1e4faae5879a783f18df206c436d12995e015448428caa3

(this sample)

  
Dropped by
MD5 5c7605319d631f2dd0e6ce3facb3eaac
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72782/
  
Dropped by
SHA256 4abbff8d3ab24b4daf1dda74369e769ef1c277adf9d73041ffbd0c186fe606bf

Comments