MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5404deeed73ea0f64dfaaeb7fa4cca1dbae0f6840c5c8634198531c4da44688a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	5404deeed73ea0f64dfaaeb7fa4cca1dbae0f6840c5c8634198531c4da44688a
SHA3-384 hash:	21852c81bd9982e6cbca4d44da177202ca1bd528e3bfc8cbf466f6b85a3b1fa336298d86555dc087d833cfdfe0a69e67
SHA1 hash:	1a54e9d6d7df3bcbd45f12d39fde95e8b518ac49
MD5 hash:	53d4c80e6bab76d84c38a48236e81ce7
humanhash:	three-south-skylark-beryllium
File name:	Order 01001O02.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	194'560 bytes
First seen:	2020-10-07 16:43:26 UTC
Last seen:	2020-10-07 18:00:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:r3ZHS/NXUCzJ1iFd7Y57yXJtmMOPYUvWJjuN+x/bagk9:r3Zy/NkC/iDRLmM7UviuNo/b
Threatray	65 similar samples on MalwareBazaar
TLSH	6F14A416F9A6090AD7026671F6DA2131833791F22A07F70E37E613501FA33FFE989566
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: mx.greentelekom.com
Sending IP: 178.211.39.11
From: <huseyin@eraycephe.com>
Subject: Order 01001O02
Attachment: Order 01001O02.zip (contains "Order 01001O02.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69000/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Launching a process

Enabling autorun by creating a file

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/484459

Signature

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5404deeed73ea0f64dfaaeb7fa4cca1dbae0f6840c5c8634198531c4da44688a/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-10-07 13:01:51 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kqcn53wxh2qpmtp2v237utgkdw5ob5uebroimnazquy4jwsencfa._file

Verdict:

malicious

Label(s):

masslogger

Similar samples:

25565e82a4ff19e43439a8188345ec8ad8d3538529dec10764c9ffba163ceb6c

2afd6527968b76196a9433fa40dc66ba80d408dd61efca8cafe65c41d0f731ff

4786c4e0b64e49ed37f8215c2b6c778ec6c7b31a4d044cab66d46c904c6a7cba

4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

712570e39e1f912cebe3d6522f2df4077ec0958d3ea3b0797e2492c4923db8f5

96a8399aef7760c49b1b2fd59de6f8747f5de3bf85249c5d7e09e7499a5c097f

d438dd09e9249c6ffc54851f110cf512d226d1d2bd4ad10ace66038494a4f295

d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569

eb3f9e33686ca1ff7ea50e18303b97a19ed46d985f91d20dca5b4c2aadf45f24

fc87713edf4f4aa23cf04040a4f47604550b4ca2da324c0c3daf4fdcac6fa17f

+ 55 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201007-h729kzxf5e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

5404deeed73ea0f64dfaaeb7fa4cca1dbae0f6840c5c8634198531c4da44688a

MD5 hash:

53d4c80e6bab76d84c38a48236e81ce7

SHA1 hash:

1a54e9d6d7df3bcbd45f12d39fde95e8b518ac49

Link:

https://www.unpac.me/results/ea3e01b4-83e8-4615-a906-257938bfddad/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.97

Link:

https://yomi.yoroi.company/submissions/5404deeed73ea0f64dfaaeb7fa4cca1dbae0f6840c5c8634198531c4da44688a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 87723ef44cef3501ff5871305f3fce6a17bec31e09a045ee5f7760308fd7a968

exe 5404deeed73ea0f64dfaaeb7fa4cca1dbae0f6840c5c8634198531c4da44688a

(this sample)

Dropped by

MD5 f3b684d43fec3ff1b7945ca815e73da6

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 87723ef44cef3501ff5871305f3fce6a17bec31e09a045ee5f7760308fd7a968

Cape

Cape

https://www.capesandbox.com/analysis/69000/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample