MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0dd978d0c18469af2bce3de12e360921e74a22c717a3758fab3bd03f27a5496. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0dd978d0c18469af2bce3de12e360921e74a22c717a3758fab3bd03f27a5496
SHA3-384 hash: 13c57a5a4c61dd0632ced67665a0d9550aa7cee4b08fefb25bb55d99d5d8b3852bb3f20dd9391b27a9da232ecd0742c2
SHA1 hash: a79e9e71776e69c6880f8ecfb642bca0a2ef449b
MD5 hash: 3e38e1d7210ce9bc9996d0c58844a1bb
humanhash: pip-kentucky-magnesium-rugby
File name:ZCKH5nQQwhttNAi.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'059'840 bytes
First seen:2020-10-13 14:48:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:PDIQA3aVIEkWs+ZY8KzcVoOXrokT5wz6t0urPft5IQ8p:PDQ3aUr+2Lso28kT5wz6TrPftKQ
Threatray 343 similar samples on MalwareBazaar
TLSH 7D35126517AC3F66E97E63FA5321520017B5361B2122F50CAFC3A4DF695EF404A82FA3
Reporter abuse_ch
Tags:exe geo Halkbank MassLogger TUR


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: server2.enyeniweb.com
Sending IP: 45.84.189.142
From: T.HALK BANKASI A.S<HALKBANK.E-EKSTRE@halkbank.com.tr>
Reply-To: HALKBANK.E-EKSTRE@halkbank.com.tr
Subject: T.HALK BANKASI A.S. 09.10.2020 Hesap Ekstresi
Attachment: Halkbank_Ekstre_20201010_084704_520562.rar.rar (contains "ZCKH5nQQwhttNAi.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70518/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3009.5411.13201.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Launching a process
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/489916
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Deletes itself after installation
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0dd978d0c18469af2bce3de12e360921e74a22c717a3758fab3bd03f27a5496/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 08:53:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=udozpdimdbdjv4v44ppbfy3asiphjirmof5dowh2wo6qh4t2ksla._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
08c7131cac4c6c62004d8b2e3ce0b85d1b35e7325f753a865206814cd87ecdf4
MassLogger
0e27fff0e39073727446b880aca45cf3a065e450308c36b06374233318d7833c
MassLogger
2ab05797cf729e2a8c82cdfee67089f8378297c3b21379d11465207e681f2d1e
MassLogger
52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf
MassLogger
6d5bb697a302b752cecf8e02febf84669ad5b6f366f8286dc152cf0c372a1642
MassLogger
70caf501b061da2729d33d4b0c5e9b9c58bc554cdbdddef16f7e057ea346808c
MassLogger
779ef456127a144ebaa7485d4109add0574ec267fc350d4d3493d77631a56fde
MassLogger
96c020d574c159341ab1d2dd8029637423bf01286bf930a34a5c9af605d01532
MassLogger
b0d7806609d30bdbfcb6e56320094558d6f3cd2c2c3f0e8e4479475d69160c41
MassLogger
d18ed06b9419076750525d6324bce7702186263efaa0ab0d3647510268883f37
MassLogger
+ 333 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
evasion stealer spyware family:masslogger
Link:
https://tria.ge/reports/201013-p6qrxz35se/
Behaviour
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
cb40d2ed9bfa303533688671b23a0909de6f414a8183fde074d8d7c40f50a1a4
MD5 hash:
4d6339ab212882f065ec1fe63483165d
SHA1 hash:
3d478f6ff95709cd292c5fe5f0f1a37dfde901a4
Link:
https://www.unpac.me/results/5a5a2f15-bb0f-40f4-bc2b-e55357c4f8fe/
SH256 hash:
1f92fe85c5c6f2da7f913b2ac9dfa930b97088202850844dd46a95fb88e28512
MD5 hash:
589579b94adc95a19d4d94ca4e83e376
SHA1 hash:
7aed235cd7a2e01a837b5d1b8717d6c48ab28662
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/5a5a2f15-bb0f-40f4-bc2b-e55357c4f8fe/
Parent samples :
0e27fff0e39073727446b880aca45cf3a065e450308c36b06374233318d7833c
a0dd978d0c18469af2bce3de12e360921e74a22c717a3758fab3bd03f27a5496
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/5a5a2f15-bb0f-40f4-bc2b-e55357c4f8fe/
SH256 hash:
a0dd978d0c18469af2bce3de12e360921e74a22c717a3758fab3bd03f27a5496
MD5 hash:
3e38e1d7210ce9bc9996d0c58844a1bb
SHA1 hash:
a79e9e71776e69c6880f8ecfb642bca0a2ef449b
Link:
https://www.unpac.me/results/5a5a2f15-bb0f-40f4-bc2b-e55357c4f8fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/a0dd978d0c18469af2bce3de12e360921e74a22c717a3758fab3bd03f27a5496

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 47ca3858f5270e1ca3ab3494252b51524dc874a81f85f1e2b9c6434918f89a7b

MassLogger

Executable exe a0dd978d0c18469af2bce3de12e360921e74a22c717a3758fab3bd03f27a5496

(this sample)

  
Dropped by
MD5 3020c992499844604e7b52730b1f2f56
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70518/
  
Dropped by
SHA256 47ca3858f5270e1ca3ab3494252b51524dc874a81f85f1e2b9c6434918f89a7b

Comments