MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a47c3d7fb87119788726fbd3cc8962ef88a9c8ad11ec066250d38eddf1dd301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a47c3d7fb87119788726fbd3cc8962ef88a9c8ad11ec066250d38eddf1dd301
SHA3-384 hash: 3591bf3c254db877aee73d78ddc4785261ffadee1efba793739f623955e84d6bb19acfd874c5859adbb3e20c37a41928
SHA1 hash: 30bc5b12ac47cc4d75c1688f23eb0f4cf47ba87a
MD5 hash: 3cf0adfd6dc4b21422fe227b3fb4632d
humanhash: moon-indigo-august-victor
File name:8888888888.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'509'888 bytes
First seen:2020-08-31 05:58:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 73ae1eef07955a270fc7a7f873444c85 (16 x AgentTesla, 8 x MassLogger, 5 x Loki)
ssdeep 24576:BQvrCXEucruic247nrns/rMek3cciijMLwa6l5SkOdgRC:BIsTsy3cciig8VekFRC
Threatray 557 similar samples on MalwareBazaar
TLSH 1465BF62F2924437F1731A389D1B53B49C3ABEC36D2868466BF8DD4C4F3968178352A7
Reporter abuse_ch
Tags:exe geo MassLogger TUR ZiraatBank


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: mail.ertenler.com.tr
Sending IP: 185.46.55.59
From: ZIRAAT BANKASI <teknik6@ertenler.com.tr>
Subject: 5000, EUR Swift Bildirimi
Attachment: Ziraat Ba..esaji pdf.rar (contains "8888888888.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Adware.Webalta-6854075-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

PUA.Win.Adware.Webalta-6879873-0
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader34.29944.17906.10656.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file
Unauthorized injection to a system process
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454892
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279824 Sample: 8888888888.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected MassLogger RAT 2->48 50 4 other signatures 2->50 9 8888888888.exe 2->9         started        12 wscript.exe 1 2->12         started        process3 signatures4 54 Detected unpacking (changes PE section rights) 9->54 56 Detected unpacking (creates a PE file in dynamic memory) 9->56 58 Detected unpacking (overwrites its own PE header) 9->58 60 6 other signatures 9->60 14 notepad.exe 1 9->14         started        17 8888888888.exe 3 9->17         started        20 8888888888.exe 12->20         started        process5 file6 62 Drops VBS files to the startup folder 14->62 64 Delayed program exit found 14->64 40 C:\Users\user\AppData\...\8888888888.exe.log, ASCII 17->40 dropped 22 cmd.exe 1 17->22         started        66 Writes to foreign memory regions 20->66 68 Allocates memory in foreign processes 20->68 70 Maps a DLL or memory area into another process 20->70 24 8888888888.exe 2 20->24         started        26 notepad.exe 1 20->26         started        signatures7 process8 file9 29 powershell.exe 19 22->29         started        31 conhost.exe 22->31         started        33 cmd.exe 1 24->33         started        42 C:\Users\user\AppData\...\888888888.vbs, ASCII 26->42 dropped process10 process11 35 powershell.exe 33->35         started        38 conhost.exe 33->38         started        signatures12 52 Deletes itself after installation 35->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a47c3d7fb87119788726fbd3cc8962ef88a9c8ad11ec066250d38eddf1dd301/
Threat name:
Win32.Trojan.Smartassembly
Create hunting rule
Status:
Malicious
First seen:
2020-08-30 21:13:37 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjd4hv73q4izpcdsn66tzsewf34ivhek2epmazrfbu4o3xy52maq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0213d8db1a9c13b9dc0926e8102e937054512783c310e9b9ede0f069271ea727
MassLogger
16409c652c71d20561e477306873670bcd398718c783dfe31b5045d66f82962d
MassLogger
45e3a9f28c7e79a55264a5c88490dfe51a73639eac96e29f724bdc96232e341b
MassLogger
4b9f712433c48ac510be9620a98f09883e4c363c2c265c3534a381c3cc17b932
MassLogger
72d5c98fe79c389a77998ac369b5e679207b89aabb8b54cbe93346e7edc4a39a
MassLogger
9d839079365af7cef63e51d9b4e8f751272cb753852dc67092ae84dde4bf1778
MassLogger
a5db59c39cc0fde14b20829d7dea9e83ad5b4d80d66a22e91a392990143f41a4
MassLogger
b7c38b8ca8e90da906c7df9ea379e0c9386780ee32b174cd1f82cd8662822efc
MassLogger
becfc540b629cb5ddf0741458b15ea2a0ccf827d0c6cadbc52d004a913b5a080
MassLogger
f27eb43c59ea9a9f7ffc4e9bb14e67fd1667825c0e8851d4a1abb9441180076a
MassLogger
+ 547 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware upx stealer spyware family:masslogger
Link:
https://tria.ge/reports/200831-6pby3jkv52/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
UPX packed file
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a47c3d7fb87119788726fbd3cc8962ef88a9c8ad11ec066250d38eddf1dd301

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar de9bf2616d90ec71115f5704bf2a064f3665861bfce6fc6a7b95f6675decf0c0

MassLogger

Executable exe 3a47c3d7fb87119788726fbd3cc8962ef88a9c8ad11ec066250d38eddf1dd301

(this sample)

  
Dropped by
MD5 9b34ca3198edf0a64eb6a36cc1394d69
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53266/
  
Dropped by
SHA256 de9bf2616d90ec71115f5704bf2a064f3665861bfce6fc6a7b95f6675decf0c0

Comments