MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c
SHA3-384 hash: dfe26dee1adf064f6c6c6c2e79eb31d255355d7ca919030682e1572650cfbf44c3c44c79203833bd93bbb2395e1fad4c
SHA1 hash: febd998e001c6abcaee00447c8f21eb103d81bff
MD5 hash: 0098ade3b0d25eee4fbd318e508c2102
humanhash: illinois-tango-steak-march
File name:YKjeKrJd4FXnXs8.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:959'488 bytes
First seen:2020-10-13 12:40:29 UTC
Last seen:2020-10-13 14:21:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:RXcrMC2O7+mi3BlFcIBI65tfmLdUUpFfFuRQQ0MhQxt3AY0q/NOkzuDmUnu86PJc:I7YRrvp5tf2VAGkQxcRkzXUu8ynn4yt
Threatray 340 similar samples on MalwareBazaar
TLSH B1151265237AAB56E17AD3F8562650002BFA36162121F70DEFC22ADFB879F004764F53
Reporter abuse_ch
Tags:exe GarantiBBVA geo MassLogger TUR


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: proje.mertbilisim.net
Sending IP: 85.95.240.168
From: Garanti BBVA <ekstre@garantibbva.com.tr>
Reply-To: noreply <export@yeditepeorganik.com>
Subject: Hesap hareketleriniz
Attachment: Hesaphareketi.rar (contains "YKjeKrJd4FXnXs8.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70462/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3009.28351.22727.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489687
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Deletes itself after installation
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297296 Sample: YKjeKrJd4FXnXs8.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 6 other signatures 2->39 8 YKjeKrJd4FXnXs8.exe 6 2->8         started        process3 file4 27 C:\Users\user\AppData\Local\...\tmpA121.tmp, XML 8->27 dropped 29 C:\Users\user\...\YKjeKrJd4FXnXs8.exe.log, ASCII 8->29 dropped 31 C:\Users\user\AppData\Roaming\uBLcTOj.exe, PE32 8->31 dropped 43 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->43 45 Injects a PE file into a foreign processes 8->45 12 YKjeKrJd4FXnXs8.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        16 YKjeKrJd4FXnXs8.exe 8->16         started        18 YKjeKrJd4FXnXs8.exe 8->18         started        signatures5 process6 process7 20 powershell.exe 17 12->20         started        23 conhost.exe 14->23         started        signatures8 41 Deletes itself after installation 20->41 25 conhost.exe 20->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c/
Threat name:
Win32.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 06:22:31 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=odfpkanqmhncokothvfqyxu3trmlyvkm3po554lppycx5i2gqcga._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
08c7131cac4c6c62004d8b2e3ce0b85d1b35e7325f753a865206814cd87ecdf4
MassLogger
3d026a637ea567d4b3a0372ea85f06773c49996555e4741a8503735cb1e77ba8
MassLogger
62ddfbbb9039c0671aa08af5d0fdd0fe949eb96e435c631a57e931e4b19743a9
MassLogger
af61853ca27001c0721463fce68bb033a9084e9fcd0c6ced3acd7fc3ea0e957a
MassLogger
bced2082dc766d01bcbb3b1ad8da3b6e482caaef683444a76fadb3bd543d26ec
MassLogger
c6c9d96f79bfdb417fb481028ff91843f34cafc277c2f665f43ab48e08889347
MassLogger
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
MassLogger
d86a036697fc43fa7041bd5e298ff785adcf44c78057f3c1c9db8fa9f694ce64
MassLogger
e0693087d46213280ce4281058ff53b07f433a9b07f4eaebf41314dd724f8e73
MassLogger
e63d9fff34fc1c54b4e9bcb779e8101ca5e65f84d84e153c0788dec7d8ee5d42
MassLogger
+ 330 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
evasion stealer spyware family:masslogger
Link:
https://tria.ge/reports/201013-2e46864h8x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
1f7e27e1ee34e1b4c2abbe572baf96fe91916899f2bd1ade8ee0d951cc92eb12
MD5 hash:
d4cefcc5529eabe30fbb7fe3aa818be2
SHA1 hash:
0e49950a67450120d4561a6dbdf71e0e51f16dc0
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/fc6924f3-92ed-402e-8532-db8ba2309e9c/
Parent samples :
a2b0e9c1ea03a3a538fe9ef7f8e6dbf4c08feba8560e238e29fce0dd2f2e144b
2fea8f7c727460dfd943dce7f9bb051f188f37a0150a132039a1892f18749ff3
70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c
SH256 hash:
6350a5587bb87b97a9505eb250a40d1d3f64946a8b5d0b428c3dc333070d51f4
MD5 hash:
b960cb4e4a955d8ae95154c92e9c41ce
SHA1 hash:
794c865cc76ab4e52c650a40da5f28777ecdb254
Link:
https://www.unpac.me/results/fc6924f3-92ed-402e-8532-db8ba2309e9c/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/fc6924f3-92ed-402e-8532-db8ba2309e9c/
SH256 hash:
70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c
MD5 hash:
0098ade3b0d25eee4fbd318e508c2102
SHA1 hash:
febd998e001c6abcaee00447c8f21eb103d81bff
Link:
https://www.unpac.me/results/fc6924f3-92ed-402e-8532-db8ba2309e9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ce1b3e7e818acfb65ad0c3d8e77e1162

MassLogger

Executable exe 70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c

(this sample)

  
Dropped by
MD5 ce1b3e7e818acfb65ad0c3d8e77e1162
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70462/

Comments