MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a39817abcaf9b2ad45fecd4aec867e6989ece31d2dd41410622af0fc6547444. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a39817abcaf9b2ad45fecd4aec867e6989ece31d2dd41410622af0fc6547444
SHA3-384 hash: dc4bf2591a7dcb9cdcacbb4d4996b9fa1fde3dd95d0b0c472a87f38c2f84a0efca2ee7b88389755ab4c7d89bd4b43b1d
SHA1 hash: 807bb539671bf77090cb96000c01248080b467a9
MD5 hash: 96ded925029c99194d0d559c6d7d6923
humanhash: wyoming-glucose-winner-chicken
File name:inquiry specification.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'051'648 bytes
First seen:2020-08-06 06:45:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:q7F5UfnwP2zet0E2nl+nO2nJ7MvnOdN6qsmgKqk+nrSy:a5U/wOet06O2nJ7unOdE8v+G
Threatray 420 similar samples on MalwareBazaar
TLSH 162502043BC59A02C3398F374991502056B5EF6E6D22E3D77EC432AB15BF7F80A156EA
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: wbironout1.netvigator.com
Sending IP: 210.87.247.7
From: Omeir Nasser Al Falahy & Partners <market002@netvigator.com>
Subject: Please offer your best price for the attached items list.
Attachment: inquiry specification.zip (contains "inquiry specification.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40187/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/412321
Signature
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 258412 Sample: inquiry specification.exe Startdate: 06/08/2020 Architecture: WINDOWS Score: 84 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 Yara detected MassLogger RAT 2->35 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->37 39 4 other signatures 2->39 8 inquiry specification.exe 7 2->8         started        process3 file4 25 C:\Users\user\AppData\Roaming\pabVlICD.exe, PE32 8->25 dropped 27 C:\Users\...\pabVlICD.exe:Zone.Identifier, ASCII 8->27 dropped 29 C:\Users\user\AppData\Local\...\tmp2C59.tmp, XML 8->29 dropped 31 C:\Users\...\inquiry specification.exe.log, ASCII 8->31 dropped 43 Injects a PE file into a foreign processes 8->43 12 inquiry specification.exe 3 8->12         started        14 schtasks.exe 1 8->14         started        signatures5 process6 process7 16 cmd.exe 1 12->16         started        18 conhost.exe 14->18         started        process8 20 powershell.exe 17 16->20         started        23 conhost.exe 16->23         started        signatures9 41 Deletes itself after installation 20->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a39817abcaf9b2ad45fecd4aec867e6989ece31d2dd41410622af0fc6547444/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 04:39:19 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ti4yc6v4v6nsvvc75tkk5sdh42mj5trr2loucqigekxq7rsuorca._file
Verdict:
malicious
Similar samples:
0bc730f8804a7ca3bb1ce3ef623dd0589d5813086d950b9173c8294293070a16
MassLogger
29285c1e0f58e12ace807098090275535b37d6faf0379372b4ae41299cca5c3f
MassLogger
383c5be68c83202fd20ce29fe47dc6982229ae6bc87349c44216d875554c1d17
MassLogger
4f7ce008febd9fe224c7a7cec7d8abf8c0db3611fd14d8aca135041d21d2b45c
MassLogger
5a08d0f514ac2efd07cc045c1b896cf7c6426dd0013ad523a14bbdbce2b25edd
MassLogger
97e4b41e30337b05fa008fbb69cbd5f16af2e61067637d1fad45894cfe4c683f
MassLogger
98f14edea3c84946787d020e97f6b161cae2ed419e458434413626b9893c6f62
MassLogger
d02c315a42a4a452a9e78011fbcce66f9f53bab788513d1b6f52e8fc70aa9f3c
MassLogger
ea1d4c5b29018a3134b0b0f1d6cb8055b39e94b5d44e3a6cb18d5cc6b0bfce4e
MassLogger
f6df04b1b109a5d525073529a3877c3df598f9fcb62278a82412fc7736ed1ba7
MassLogger
+ 410 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware evasion spyware stealer family:masslogger
Link:
https://tria.ge/reports/200806-dnw44pdwbx/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Modifies visibility of file extensions in Explorer
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/9a39817abcaf9b2ad45fecd4aec867e6989ece31d2dd41410622af0fc6547444

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 64661c33491d2f36f4012a5654e972dd2fe5440d1243a31c331ad37d7b8329d9

MassLogger

Executable exe 9a39817abcaf9b2ad45fecd4aec867e6989ece31d2dd41410622af0fc6547444

(this sample)

  
Dropped by
MD5 5b702333212392f1c272c8c5fb48fc9b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40187/
  
Dropped by
SHA256 64661c33491d2f36f4012a5654e972dd2fe5440d1243a31c331ad37d7b8329d9

Comments