MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97a3f574869dfb82834d7481df5e280ab0944dda13ff548d5674e960493cfb8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	97a3f574869dfb82834d7481df5e280ab0944dda13ff548d5674e960493cfb8c
SHA3-384 hash:	d2342bea12427115e3acece79aedc69a90acf09406bd3fc3f62b70d9163fd95b1bb859395d57b6b55d1d6cfd33ebf720
SHA1 hash:	b73625caa0fcf43c9cdce6fe406e793cbf43f0ec
MD5 hash:	1728a1c5055e320ba8f3c1f74b617f41
humanhash:	sweet-neptune-massachusetts-oven
File name:	Required Purchase Order Reference.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'098'240 bytes
First seen:	2020-08-18 19:39:11 UTC
Last seen:	2020-08-18 20:48:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:QAgXtMUL8yvyIPJWt96DaVGx5zvGZf65qujunNTba:qdL8yvyCy4eVGxZvGZfiunNTb
Threatray	626 similar samples on MalwareBazaar
TLSH	3635123233D0EB25D1BD5377CCA9600513F9B8076721EBAEBDD8229C0A127924B736D6
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

From: coskun.senem@ogr.deu.edu.tr
Subject: REQUEST QUOTATION FOR OCTOBER 2020
Attachment: Required Purchase Order Reference.Doc.gz (contains "Required Purchase Order Reference.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/48075/

Detection(s):

SecuriteInfo.com.Trojan.Agent.EVDK.12696.12124.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/97a3f574869dfb82834d7481df5e280ab0944dda13ff548d5674e960493cfb8c/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-18 04:57:01 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s6r7k5egtx5yfa2nosa56xribkyjito2cp7vjdkwotuwasj47oga._file

Verdict:

unknown

Similar samples:

1c989f633edcaea6e97a4a96f8a1f9ed19d54ed109cfaf1053a67dc48d28fd52

20ec6cdb323f2e2eea0bfb107e820a079a41a3fc6afdf8378de930d7aa7b4160

2a1b3187f7000dfb10dff758fe598e73e58d6864c5a4579e7c35acd88314ca20

2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce

49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251

9753fb15b17d78d8f7793caadf177d71bf6f0a99e490537e768812a835db22fa

c27a39381e1034e23c04713893907c51596a6215a6fb1932281520c17aae8646

cbca1b2ee6c097f73a866a102f4f17a5966ede96d69b51d6702a0882181fa866

e33ecba374a7d34a6c237fde198844930a82c27199c76f49bc0558e0caf1f4a4

f959039896cdd9c4add867b06af7d100629377c66ef7fb0fd4aeba48f9a9593e

+ 616 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200818-sdcwvhevgs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/97a3f574869dfb82834d7481df5e280ab0944dda13ff548d5674e960493cfb8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz d08fc097e6d26fba99270c26526b6bc1cc25bb27362a3a0a2d9f29c42468e583

exe 97a3f574869dfb82834d7481df5e280ab0944dda13ff548d5674e960493cfb8c

(this sample)

Dropped by

MD5 8724cb05db94a8e05c84a659298b70d4

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/48075/

Dropped by

SHA256 d08fc097e6d26fba99270c26526b6bc1cc25bb27362a3a0a2d9f29c42468e583

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample