MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a0212846806b7a822b1275aa4421addc9914c4a988fc0ac6458a48dd99ff50d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a0212846806b7a822b1275aa4421addc9914c4a988fc0ac6458a48dd99ff50d
SHA3-384 hash: 6b5b25d475d91a56a38079c81acc5809381ee902a1d7c979e16d3c6a978da4bc1a8bebeda36d5e0e4c58f330ee48f346
SHA1 hash: 120cad8710c814a2142130d02b7e001000de1200
MD5 hash: 774d668aee11f481342d39a42711564e
humanhash: kansas-south-charlie-papa
File name:RFQ UP300842 CONFO 08.14.2020.pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:454'904 bytes
First seen:2020-08-14 10:10:59 UTC
Last seen:2020-08-14 11:01:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:ym6McmOSBJzrcKa3Ux6NVWl0pDrbKML9w6Khm4PNrMlCob+ygs2EA:jcmOSzAjWlU5u5yoC2t
Threatray 161 similar samples on MalwareBazaar
TLSH C2A4BF49F2A08F00C3C83D71A5A3A93527B2F5462536F35E3F4D52E67D623B5898A7C4
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: bzq-40-168-31-90.red.bezeqint.net
Sending IP: 31.168.40.90
From: Sheik Abdul <admin@bzq-40-168-31-90.red.bezeqint.net>
Subject: RFQ_DN400_600CC3312.PDF
Attachment: RFQ UP300842 CONFO 08.14.2020.pdf.z (contains "RFQ UP300842 CONFO 08.14.2020.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45785/
Detection(s):
SecuriteInfo.com.Generic.mg.774d668aee11f481.19643.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Adding an access-denied ACE
DNS request
Sending an HTTP GET request
Creating a file
Moving a recently created file
Replacing files
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Setting a global event handler for the keyboard
Stealing user critical data
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/429374
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a0212846806b7a822b1275aa4421addc9914c4a988fc0ac6458a48dd99ff50d/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 10:12:11 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ribbfbdia232qivre5nkiqq23xezctcktch4bldelcsi3wm76ugq._file
Verdict:
malicious
Similar samples:
15c3cfbad0e3b0afe327e53605c463775ef2ae1d5c21b23928a2aa34b7e36719
MassLogger
305d2dc35b0ce0040b0223e8fb187e04ac7c36e99ad620a7b824035183a2ccea
MassLogger
34cbecb7d69d17b347da77599976058e0a02a9930a085d1a5b98505fdfb77a46
MassLogger
354d3e283f994802a084678c53be397a4ea4d46d7e48487e6db6c46f6f91ffb9
MassLogger
383e589441b2d47da8108e096dcbef6501935e91f248158a624bed91fef1524c
MassLogger
4f4ecb62cff991d6e30675be71df634dd9f0e48ce95c4ba92fc9116d6cc25896
MassLogger
7b09e5a976956a0554cb8fa07d9958ba192249fe512f45bee23d5e1ae9e2c974
MassLogger
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
MassLogger
8025c16aa7b7e0d0dfe71e8f627c287ebefc935a6b65cf180409f36633626277
MassLogger
e0035aa03440db1460ee92e59d384ed20dce147a7f62c846c486da9decac4b28
MassLogger
+ 151 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200814-tve162tj8e/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8a0212846806b7a822b1275aa4421addc9914c4a988fc0ac6458a48dd99ff50d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip fbf191124e64fbc9778bc529972b4824026d132ca21aa5404d0606e1224fe43d

MassLogger

Executable exe 8a0212846806b7a822b1275aa4421addc9914c4a988fc0ac6458a48dd99ff50d

(this sample)

  
Dropped by
MD5 4b1a9ccf08aa67d18a0f75b199e79c1d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45785/
  
Dropped by
SHA256 fbf191124e64fbc9778bc529972b4824026d132ca21aa5404d0606e1224fe43d

Comments