MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225
SHA3-384 hash: 904227d46dd204e8b3d296ed02d5faef1f3d9d1e448b3ccac86eb18cdd6ce7756878f4c8198231a382c91ed739839f02
SHA1 hash: 72af245683b018fb46684d07545ebd9e3dc8d0f0
MD5 hash: 024ca03cfeb3ccac67e8516ad12b896d
humanhash: south-echo-carbon-alaska
File name:TJKjGvC3dP2CIDi.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'432'064 bytes
First seen:2020-10-23 11:39:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:jo5jyfEkrJ9h07EGfelhukuWB4/xXVQ6Lggg0T+PIIETNOe:jUjyfEkrJ7y2ukuWAW6Lg90fJB
Threatray 445 similar samples on MalwareBazaar
TLSH 2565F10223E85F54F5BF93389868000097F9BD06A727E7ADBDD050DF1DA2F818B5676A
Reporter abuse_ch
Tags:exe GarantiBBVA geo MassLogger TUR


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: m1mkyc5j.ni.net.tr
Sending IP: 89.252.168.58
From: Garanti BBVA Emeklilik <OtomatikBES@garantibbvaemeklilik.com.tr>
Reply-To: noreply <mintchin1@gmail.com>
Subject: Otomatik BES İşlemleri Son Aşama - Ödeme Dosyanızı Yükleyin
Attachment: 42800.rar (contains "TJKjGvC3dP2CIDi.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Masslogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75033/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.28699.32619.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Running batch commands
Launching a process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/508085
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303163 Sample: TJKjGvC3dP2CIDi.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 88 25 Yara detected MassLogger RAT 2->25 27 Yara detected AntiVM_3 2->27 29 .NET source code contains potential unpacker 2->29 31 4 other signatures 2->31 8 TJKjGvC3dP2CIDi.exe 3 2->8         started        process3 file4 23 C:\Users\user\...\TJKjGvC3dP2CIDi.exe.log, ASCII 8->23 dropped 35 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->35 37 Injects a PE file into a foreign processes 8->37 12 TJKjGvC3dP2CIDi.exe 3 8->12         started        14 TJKjGvC3dP2CIDi.exe 8->14         started        signatures5 process6 process7 16 cmd.exe 1 12->16         started        process8 18 powershell.exe 17 16->18         started        21 conhost.exe 16->21         started        signatures9 33 Deletes itself after installation 18->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 09:35:06 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tyme73gt4c7gpyi4pdkap7uod5pxkvz3gkabx4aakv2f546imisq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
MassLogger
564d8ca154a08dbbe3af33d3ec5b5345c31fa8a56d536f9b22063c99db8455d7
MassLogger
6bc296fc9ae6bdb27ca23398f69bfb7b44d69734ff0e03a3322fdf688117e2f5
MassLogger
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
MassLogger
c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872
MassLogger
cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069
MassLogger
d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1
MassLogger
d9503dc6cff1393c176eb25789982c93cd5055f27934c43e57154c642d2ea5d4
MassLogger
f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147
MassLogger
f6977b9a40a17a0adc85487b7c8095d295257c6a74ec335d22b76a70884d0cac
MassLogger
+ 435 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/201023-qdwy529hyn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
MassLogger log file
Unpacked files
SH256 hash:
7cc76d40ec8a597b832ca59d05cdbd04604e4b5bc8d63d192aefd9d9950570c7
MD5 hash:
573f4cd85bd963f6873031bb0ac22f12
SHA1 hash:
59f46ac28e93b498118ff8571d042c738c24806c
Link:
https://www.unpac.me/results/bb947421-abce-432d-962b-ba2d2e0b0334/
SH256 hash:
62a21907cd6834095979b4e3017e5a475463b7127bdd32b88a62b540503dd307
MD5 hash:
6b6e65bed0fa0826cf60dbc954adaa91
SHA1 hash:
5de779a275e81112bf82378c3d4f874286b712e2
Link:
https://www.unpac.me/results/bb947421-abce-432d-962b-ba2d2e0b0334/
SH256 hash:
e5009b34bddaab2a163b6f5e252f0d47310c94a9eb9150bf7823c95f2d157d84
MD5 hash:
88753aa9305fb14477481a510c9c9c52
SHA1 hash:
e39739acc3b8ca5d61bd623fec16069e3b8ef568
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/bb947421-abce-432d-962b-ba2d2e0b0334/
Parent samples :
1eede2e64187f350be4bad955f78c8f3aa82939639bde4a72f98bfd8bd796a61
9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/bb947421-abce-432d-962b-ba2d2e0b0334/
SH256 hash:
ad37f6f43871113f463e286073ac3e7439b2c432fdda6fcfb94bba7e3ab8dd07
MD5 hash:
eee4ced669ee363e4e2713dbb491e945
SHA1 hash:
55aed0e8b827915055ab25847a4d0891c7e8a253
Link:
https://www.unpac.me/results/bb947421-abce-432d-962b-ba2d2e0b0334/
SH256 hash:
9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225
MD5 hash:
024ca03cfeb3ccac67e8516ad12b896d
SHA1 hash:
72af245683b018fb46684d07545ebd9e3dc8d0f0
Link:
https://www.unpac.me/results/bb947421-abce-432d-962b-ba2d2e0b0334/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 86ff203a923278bd15b5bd1b28caff03d9adf8ce2d8f9ffce68ebc9909a83df6

MassLogger

Executable exe 9e184fecd3e0be67e11c78d407fe8e1f5f75573b32801bf00055745ef3c86225

(this sample)

  
Dropped by
MD5 f3c5074fd6a34616c89dea90ed70c346
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 86ff203a923278bd15b5bd1b28caff03d9adf8ce2d8f9ffce68ebc9909a83df6
Cape
Cape
https://www.capesandbox.com/analysis/75033/

Comments