MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f
SHA3-384 hash: 755aceeed599527b8a74645e8dc13f1881db1e562555905561969a77cdbbe38359c36eb42d38035c5b979f85912b938d
SHA1 hash: ce8b04e1e8bcbc7e89b1128337745dc64704fd59
MD5 hash: 245dc64c936592d8f1638b852ab605c3
humanhash: purple-five-hawaii-pasta
File name:Halkbank_Ekstre_20201130_080203_744632.pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:667'648 bytes
First seen:2020-11-30 20:32:44 UTC
Last seen:2020-12-10 08:13:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:uGrbMz1iGig5TZKE2ARu29mt1BA1W3R0wrmcEPMPb3Q48:uGrbMzcGigGEEBAIR0y00j3Q48
Threatray 8 similar samples on MalwareBazaar
TLSH 7DE47B6E623255A2E7DE44308F0C7A2D2B53562C5CAF36C1DEB71A54F216233762CDCA
Reporter GovCERT_CH
Tags:MassLogger

Intelligence

File Origin
# of uploads :
31
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106127/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.19823.20732.32058.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/551388
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324808 Sample: Halkbank_Ekstre_20201130_08... Startdate: 30/11/2020 Architecture: WINDOWS Score: 100 28 g.msn.com 2->28 36 Yara detected MassLogger RAT 2->36 38 Yara detected MicroClip 2->38 40 Uses an obfuscated file name to hide its real file extension (double extension) 2->40 42 7 other signatures 2->42 8 Halkbank_Ekstre_20201130_080203_744632.pdf.exe 15 3 2->8         started        13 Onvfyn_pi.exe 1 2->13         started        signatures3 process4 dnsIp5 30 mail.alfaomegaworld.com 108.179.242.107, 49724, 587 UNIFIEDLAYER-AS-1US United States 8->30 32 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.169.28, 49723, 80 AMAZON-AESUS United States 8->32 34 2 other IPs or domains 8->34 26 C:\Users\user\AppData\Local\...\Onvfyn_pi.exe, PE32 8->26 dropped 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->48 50 Suspicious powershell command line found 8->50 52 Tries to steal Mail credentials (via file access) 8->52 54 3 other signatures 8->54 15 powershell.exe 13 8->15         started        17 powershell.exe 26 8->17         started        file6 signatures7 process8 process9 19 Onvfyn_pi.exe 2 15->19         started        22 conhost.exe 15->22         started        24 conhost.exe 17->24         started        signatures10 44 Multi AV Scanner detection for dropped file 19->44 46 Machine Learning detection for dropped file 19->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 20:33:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwexn7tkphvhc35blj37bnxdahqqsh5bcq6pdvhvlaktvyszvm7q._file
Verdict:
unknown
Similar samples:
0e9d08e343babe7fc9d6e9a9df3e29b8b5bd4b080a5cb32bd744cf02997d93cf
MassLogger
2f96167c307b2b82ca3ed1b6b6368b607cb075e178aef0ea4ff7bd4c203e7d6b
MassLogger
3d51c6c8739a9038ef4a2fd3c255ccb1206ea5e4e148af61ec47867395d3540d
MassLogger
667cc8470b2505337ba40eef76fc4ecb743b2bfea8081f17df81315afeb9ac35
MassLogger
bf618789e2d59d7bb417670150e59434cbf04c0300847740718f03f89591af58
MassLogger
c13f524ec129f1d14e10cf9de34fde8dfc121fb5d832272d7eceebd9a32b77c3
MassLogger
ee1a9615502f7e593a97d94528cffa575919ee29820bc99c27180296c228d5cb
MassLogger
f4af46ad96a86cad60d613a3387a0a68c580247ef88943e2ea0e5b9679a38c2e
MassLogger
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger spyware stealer
Link:
https://tria.ge/reports/201130-ekd5r3yave/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Executes dropped EXE
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
9098ed4619cde8fe8abc05fe5d52bd72a64a319ea889c59524638f1b0fc3f0d0
MD5 hash:
c699799e0edb42107c87546da90f87bf
SHA1 hash:
5bf1b6ef44903c77efff050f00e68c9bee7ad8f9
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/e5f63000-808e-4f61-854c-47656d49efdf/
Parent samples :
3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f
857f9ec55794e1c43321c0054bb3a6cee591fb04a07a62fbdfce2cc20e508a7a
SH256 hash:
ac5545dafa3a7d28d95050ffbc0a9bd8a75661a1d78b7f61f33e2b68cfad83ab
MD5 hash:
37a103918c21774d50ff13f990df04d4
SHA1 hash:
bd4009ce357103f05207b917b14b20a72f9586d5
Link:
https://www.unpac.me/results/e5f63000-808e-4f61-854c-47656d49efdf/
SH256 hash:
3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f
MD5 hash:
245dc64c936592d8f1638b852ab605c3
SHA1 hash:
ce8b04e1e8bcbc7e89b1128337745dc64704fd59
Link:
https://www.unpac.me/results/e5f63000-808e-4f61-854c-47656d49efdf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip d58147404fc020a25e4e8547f9205dc555846ad93ef5d2f3ce2a479dfccd8762

MassLogger

Executable exe 3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f

(this sample)

  
Dropped by
MD5 32f57dcdde0fd8eda181eeadeac8f3c1
  
Dropped by
SHA256 d58147404fc020a25e4e8547f9205dc555846ad93ef5d2f3ce2a479dfccd8762
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106127/

Comments