MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc
SHA3-384 hash: a81fb70745346431dbdabb5be9c0ba6496f0aea7964204b0a8c52fbff3672a73e7616ffe6dfe7161d0e834fa59fb63f4
SHA1 hash: c1d39316e68e9805f4922bc6451730d1f4f67f31
MD5 hash: edb9ce3fb683ac12c72ce836dfcdb6a0
humanhash: diet-violet-white-seventeen
File name:PROJECT RFQ.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:794'112 bytes
First seen:2020-11-19 06:35:22 UTC
Last seen:2020-11-20 06:33:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:J2Ifiz0YRo9ee7R2VgbyxuH0d2G/1VRIX3aW2xakhz0mU5jBWf1mUs+3Evkt8LF:4IfizFSExuHOJ9v2yau0Daf16iP8
Threatray 544 similar samples on MalwareBazaar
TLSH 5FF4127619A5EE52EB6A5FF1E095274C0FA564579B30E44DBDDC00CB22B2B08EE50E33
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: elmehad.com
Sending IP: 154.127.53.42
From: Baiju Rajan <aliabualnaja@elmehad.com>
Reply-To: gk@aquaflor.ae
Subject: Abu Dhabi Government,for Dualization, Engineering, Procurement and Construction of the Abu Dhabi and topside facilities (LOT 17)MLE Boosting PJ / Abu Dhabi.
Attachment: PROJECT RFQ.rar (contains "PROJECT RFQ.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Deleting of the original file
Result
Gathering data
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/542691
Signature
Deletes itself after installation
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320443 Sample: PROJECT RFQ.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for dropped file 2->32 34 Sigma detected: Scheduled temp file as task from temp location 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 7 other signatures 2->38 8 PROJECT RFQ.exe 6 2->8         started        process3 file4 24 C:\Users\user\AppData\Roaming\xjUGLzdR.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\tmp5759.tmp, XML 8->26 dropped 28 C:\Users\user\AppData\...\PROJECT RFQ.exe.log, ASCII 8->28 dropped 11 PROJECT RFQ.exe 2 8->11         started        13 schtasks.exe 1 8->13         started        15 PROJECT RFQ.exe 8->15         started        process5 process6 17 powershell.exe 17 11->17         started        20 conhost.exe 13->20         started        signatures7 30 Deletes itself after installation 17->30 22 conhost.exe 17->22         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 20:29:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmzp7rgbaeklkuiv3kpsy3so4ircf5otavks3lyaukd3qllgzhoa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
16dff524e764f19be7a7851841235ef4406b22866e500ca592b678c55fd70bf5
MassLogger
230ac2859ddd4c3652956a929073f0a06ce0765d2d8f0602b9af999c5b99aed0
MassLogger
2bea53a14d59fc7d772ea805af47b3b8ddddbf201a7e8d9e7ebd7ca422702a30
MassLogger
532051adf5893bf586b56210af5c7f3c4e8f72cfecf8ef52687f34e1fea17ab3
MassLogger
6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95
MassLogger
6854cc7c26e459c0e7ea583efd796fa5ca247692e3ebe3438dad71deca1efac6
MassLogger
add6098978fb4c511d57cf351d6cacd9a50e1a1958e673a1fada4ecf753df51e
MassLogger
cc8e79ce79d0078b6483062f8fc8d187f5fdcf92c9f51db25551a19d22af0a87
MassLogger
f83ad58372165b89222b164f3da6a0b4edad02409d13df77e713ad860a6489e4
MassLogger
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
MassLogger
+ 534 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201119-sdjxwv4bva/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/07d82f39-8eff-4cf5-87d8-de1d78ca0550/
SH256 hash:
895538a25f78537deed98c851a2f9395258b81ae6a0164180002d22f1f651932
MD5 hash:
861d51d43cfa290ca6dc00e6b9d7f625
SHA1 hash:
bbc7d0dd453e248ef10113336816c5e0ab7d03b1
Link:
https://www.unpac.me/results/07d82f39-8eff-4cf5-87d8-de1d78ca0550/
SH256 hash:
9fa4bd192773dfc684e2d0d7a15054220a2c3a4418d2a46c1e245f34ba88fa85
MD5 hash:
2590b65af13e5325d936c62743e003ea
SHA1 hash:
ed3c2da29c2f623aa9769ee822c5263434a61acc
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/07d82f39-8eff-4cf5-87d8-de1d78ca0550/
Parent samples :
6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95
cc8e79ce79d0078b6483062f8fc8d187f5fdcf92c9f51db25551a19d22af0a87
5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc
2d72381a89f07ac880d001d5cec532b9900db1030fc269687752863174fab88f
SH256 hash:
5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc
MD5 hash:
edb9ce3fb683ac12c72ce836dfcdb6a0
SHA1 hash:
c1d39316e68e9805f4922bc6451730d1f4f67f31
Link:
https://www.unpac.me/results/07d82f39-8eff-4cf5-87d8-de1d78ca0550/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar ba8ad394d1f2035b5b582c9d1094141c283d3379a51c5a69ac7fc6118d81824f

MassLogger

Executable exe 5b32ffc4c10114b55115da9f2c6e4ee22222f5d305552daf00a287b82d66c9dc

(this sample)

  
Dropped by
MD5 be265979afaa3c7cb663b4003e7f3f73
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ba8ad394d1f2035b5b582c9d1094141c283d3379a51c5a69ac7fc6118d81824f

Comments