MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8a0ccb327ebc5fce7c9a2086cea22103467000ecda8f66b57c4af0b9536e81e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8a0ccb327ebc5fce7c9a2086cea22103467000ecda8f66b57c4af0b9536e81e
SHA3-384 hash: dc4879f9da24a48c81fb4c86d6848f1a862bd989a846aecd45a0b45bb31247739d1e45f6102c79adc6a03bbb0306049b
SHA1 hash: fe84eee3a0a6cc0b4c2a431529cb2d7aef243c49
MD5 hash: 9669cdeae595c665e9ee1f7a4196bf3e
humanhash: mango-december-orange-illinois
File name:Revised PI .pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'032'704 bytes
First seen:2020-10-08 13:14:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:MkIGPkLKctOCvknThG8TWWCoTI29KT4FbHT4ytFVIrrkQJ6E:DrPwjt9knT0VWDduy7VikOZ
Threatray 278 similar samples on MalwareBazaar
TLSH 5A252301B6E85B23EE2E1BF9C531A541C3B1952B752BF3D98EA135DF4E47B148A42C23
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: addaaninternational.com
Sending IP: 156.96.151.232
From: zaman@addaaninternational.com
Subject: RE: RE: Discounted offers - PR# 2821 PO 23339
Attachment: Revised PI .pdf.ace (contains "Revised PI .pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69262/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Deleting of the original file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485506
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295305 Sample: Revised PI .pdf.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 27 Antivirus detection for dropped file 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 12 other signatures 2->33 8 Revised PI .pdf.exe 6 2->8         started        process3 file4 21 C:\Users\user\AppData\...\rGGwtqwERNruwL.exe, PE32 8->21 dropped 23 C:\Users\user\AppData\Local\...\tmpE7A2.tmp, XML 8->23 dropped 25 C:\Users\user\...\Revised PI .pdf.exe.log, ASCII 8->25 dropped 11 Revised PI .pdf.exe 2 8->11         started        13 schtasks.exe 1 8->13         started        process5 process6 15 powershell.exe 19 11->15         started        17 conhost.exe 13->17         started        process7 19 conhost.exe 15->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8a0ccb327ebc5fce7c9a2086cea22103467000ecda8f66b57c4af0b9536e81e/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 06:56:53 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcqmzmzh5pc7zz6juiegz2rcca2goaaozwupm22xysxqxfjw5apa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
249b1438e43913a18e085ec6b3ff767c3091cc55177c7730cfe62ab5bf168309
MassLogger
3a61c2e77a0e22e3d7958ef355b88e21b73986ab5e0f2e6dedf7e3d77691e0d6
MassLogger
6441c31aeba714b924340c5a7f01daae9bfa57c7a0aeae2780c49efdb54ee9f6
MassLogger
669c338b6022e64b567ca5975b33f2ca26ec77e3b85d3dcb5b8d2002417333d9
MassLogger
6fa989b62b63aaded7491064aa90066cbd99de488e716314295b2a4616f4b46c
MassLogger
9ce382b1991be3ae8fa744c4abf5d450ee9d376da295dfee8ca565551e75a9b0
MassLogger
bc0af8fda43937d6a0d717e5be51d3f5a51a67077bc8ca85f031fa5bc08d165a
MassLogger
bd99f6b970cc52ee725dd1b734a440243655a3fbc1e2304a665b29d41477c25b
MassLogger
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
MassLogger
e64ff6e23ce8911e74ee402d2cc1ed3d54998a56a6fb272b50c5a87363975305
MassLogger
+ 268 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware
Link:
https://tria.ge/reports/201008-93txmk311j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
4838d4d7362c91a1e9127b72929ac829b313ece4e00bced9b65ebc13986ccf23
MD5 hash:
0599766ba9cbd356dda144c816d77d5a
SHA1 hash:
196d612792406a0ec2f0a4eff0b58b3bba436ced
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/d539a648-311e-4a70-9de6-f2e392396d80/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/d539a648-311e-4a70-9de6-f2e392396d80/
SH256 hash:
372150b7ba2eae29b69c292837535f60874636cc657724944b9258335847f633
MD5 hash:
9c29c3253ed13e3dcf5d56b4d0d9993d
SHA1 hash:
dfe7b492b05df05a9fb8cade3a5d316a76fb964c
Link:
https://www.unpac.me/results/d539a648-311e-4a70-9de6-f2e392396d80/
SH256 hash:
a8a0ccb327ebc5fce7c9a2086cea22103467000ecda8f66b57c4af0b9536e81e
MD5 hash:
9669cdeae595c665e9ee1f7a4196bf3e
SHA1 hash:
fe84eee3a0a6cc0b4c2a431529cb2d7aef243c49
Link:
https://www.unpac.me/results/d539a648-311e-4a70-9de6-f2e392396d80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a8a0ccb327ebc5fce7c9a2086cea22103467000ecda8f66b57c4af0b9536e81e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 7a753d911976911e9d9c3ad75f533c8a1a514f9263b4310b76fa2a22d31d8cef

MassLogger

Executable exe a8a0ccb327ebc5fce7c9a2086cea22103467000ecda8f66b57c4af0b9536e81e

(this sample)

  
Dropped by
MD5 7e3228d397da396a41017bd4c799c633
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69262/
  
Dropped by
SHA256 7a753d911976911e9d9c3ad75f533c8a1a514f9263b4310b76fa2a22d31d8cef

Comments