MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ba4d89aa8ee0209d0f91d406ff67bf77ff78b4639264c1248cb2eb25bde1c32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	5ba4d89aa8ee0209d0f91d406ff67bf77ff78b4639264c1248cb2eb25bde1c32
SHA3-384 hash:	e53624be4f18ddb41abd89d65c90f6c757235f369eaff3a2c6fed750946659ff3a98b57ab0b877af983146465ffd3008
SHA1 hash:	0cb492daa505508d73d93933a162ae2dd472d033
MD5 hash:	2ca30d0caf4d8406ca511033f24ef46a
humanhash:	virginia-idaho-alpha-purple
File name:	QA103 SWIFT.pdf.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	27'648 bytes
First seen:	2020-10-08 05:40:49 UTC
Last seen:	2020-10-08 11:13:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	384:A6XT6+4XFsAY/4DYIQiBHPl2dGWwmNmVpKana6K9hWdE8/1v23Am7Uj9u3ljgpwO:Xa0/4VVPGq3a6VuAm7Uj9u3ljgpwO
Threatray	288 similar samples on MalwareBazaar
TLSH	00C2952CBA5559BACDBD86B2CB4382147B3D8D0772479E4A2FD5C6C9778F1002D8327A
Reporter	abuse_ch
Tags:	exe geo GRC MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: mail.zedcloud.ro
Sending IP: 188.215.37.226
From: info@sedo.co.uk
Subject: Κορυφαίο επείγον // Συμβουλές πληρωμής - Ref: HSBC99002992 / 1602020
Attachment: QA103 SWIFT.pdf.7z (contains "QA103 SWIFT.pdf.exe")

Intelligence

File Origin

# of uploads :

4

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

Launching a process

Creating a process with a hidden window

Creating a file

DNS request

Sending an HTTP GET request

Creating a window

Reading critical registry keys

Possible injection to a system process

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/484964

Signature

Creates processes via WMI

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Very long command line found

Yara detected Powershell dedcode and execute

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ba4d89aa8ee0209d0f91d406ff67bf77ff78b4639264c1248cb2eb25bde1c32/

Threat name:

ByteCode-MSIL.Trojan.GenMlwB

Status:

Malicious

First seen:

2020-10-08 05:42:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

2

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=losnrgvi5ybatuhzdvag75t36577pc2gheteyesizmxlew66dqza._file

Verdict:

malicious

Label(s):

masslogger

Similar samples:

047e9f8b825378da0ad294496cbed35ff024c2742993e6eb0d4a1bc94c6bdb02

249b1438e43913a18e085ec6b3ff767c3091cc55177c7730cfe62ab5bf168309

7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5

a920f6bd5e8cf8734daa7aa6b0a79b3edc9725c436f5b6bdec9a7490792c8298

bd99f6b970cc52ee725dd1b734a440243655a3fbc1e2304a665b29d41477c25b

ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de

dd652810ff0fc0288768ac20d5fcc76f7bc517c3ed8b066a18340a8b69c69c3a

e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0

ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d

f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45

+ 278 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201008-89f7s8le5x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in System32 directory

Looks up external IP address via web service

Blacklisted process makes network request

Process spawned unexpected child process

Unpacked files

SH256 hash:

5ba4d89aa8ee0209d0f91d406ff67bf77ff78b4639264c1248cb2eb25bde1c32

MD5 hash:

2ca30d0caf4d8406ca511033f24ef46a

SHA1 hash:

0cb492daa505508d73d93933a162ae2dd472d033

Link:

https://www.unpac.me/results/4852c067-e0e4-4549-bed4-bc99d6141e46/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Dropper

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/5ba4d89aa8ee0209d0f91d406ff67bf77ff78b4639264c1248cb2eb25bde1c32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z 6aae274097a146f2e0b8f3a05b281a69117b126c614ac632733f42167e3e366c

exe 5ba4d89aa8ee0209d0f91d406ff67bf77ff78b4639264c1248cb2eb25bde1c32

(this sample)

Dropped by

MD5 5c774f83ecc757839bb9b555a7f1c46c

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/69084/

Dropped by

SHA256 6aae274097a146f2e0b8f3a05b281a69117b126c614ac632733f42167e3e366c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample