MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2bf3f45bdc745f100e74e154249ceccf3339a09de63ebd1118b50ed7a305a9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2bf3f45bdc745f100e74e154249ceccf3339a09de63ebd1118b50ed7a305a9b
SHA3-384 hash: 55e2536de6a0078ced9a81980640dc4cc1150003ab351c2d6a6c7cab73f469a9e1c0205c2ea2956e7bbd9ad259604199
SHA1 hash: b2e117d3376c2f7043218ca0932544ba849e006b
MD5 hash: 48051f86729e14fc8787d5895f06d30b
humanhash: oven-quebec-steak-paris
File name:NEW ORDER INQUIRY.exe
Download: download sample
File size:1'607'680 bytes
First seen:2020-08-21 15:03:12 UTC
Last seen:2020-08-21 15:30:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:KKNLdi9MZAnTI/XXKWN2ijNgmsTvEJZ+bFW9dj0uE:KKNLdi9oAnTeXXZN2ipg4SU9R0u
Threatray 536 similar samples on MalwareBazaar
TLSH 4675F73639838424CA750675C0A8E8C0B731A68A7B9ACB2F74C7534E5E03BAB7F55C5D
Reporter GovCERT_CH

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49566/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.52027.223.20555.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Deleting a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/444561
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2bf3f45bdc745f100e74e154249ceccf3339a09de63ebd1118b50ed7a305a9b/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 03:47:19 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uk7t6rn5y5c7cahhjykuesooztzthgqj3zr6xuirrnio26rqlknq._file
Verdict:
unknown
Similar samples:
20be971374f0ffd1224aafed410fdb30e3340788a7dd80747dd18f3ef0f8168d
329a2570a79a64645c307b832f6bf62abeb151c14f6f608fd1d3b806a427da9d
35b6e2b8511ae0552a5de87abc510205a9d52a53ca6ed78b44299a31138475c8
4474bd1e6a8472755ccac7d31beeefa7575b8b89610b71d1d08cf95a0ca17358
4534997b5b146c7caebb2f398e7ea0f2bbf434af23155ad13b0acd09b0487325
5933110e6d5714ac077e2e45c86792cb48442e48718f25fddd78d5de54487c6e
95d334eb3cabab89dede94fa1fdfb66560e7ca453ac25be1729a5c0d2e783934
aa30ea6f5603484a2f71a0fa1429cef880ee018c6b3557ad09708dca055cbb22
b56dc20e7a6a6b86fb49f3802961cc8b21b75938af4de7bb55db894a8546246c
eb98cd837c0994df93bde2019caef785c7b7c9bfc373ca2135d928bd507bf3b3
+ 526 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware agilenet spyware stealer family:masslogger
Link:
https://tria.ge/reports/200821-x5nbc9dega/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2bf3f45bdc745f100e74e154249ceccf3339a09de63ebd1118b50ed7a305a9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 787b5673df899d1c39ec1a125f163573683ad8496ef64e9947729ab3853028ec

Executable exe a2bf3f45bdc745f100e74e154249ceccf3339a09de63ebd1118b50ed7a305a9b

(this sample)

  
Dropped by
MD5 686a8dbfbf497f4a5fb7b84dab792eb2
  
Dropped by
SHA256 787b5673df899d1c39ec1a125f163573683ad8496ef64e9947729ab3853028ec
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49566/

Comments