MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a95841c0ebc43b93e86d68701817f8d3401a92e9f65a8b6a8faf66de97f9bb7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	a95841c0ebc43b93e86d68701817f8d3401a92e9f65a8b6a8faf66de97f9bb7d
SHA3-384 hash:	a17b62976ea1c845e184271e1bcdda1dd9fbe1df5feb2f28c5d6f9291cbfd1da311f297cdee8e625ae510e9131d32a71
SHA1 hash:	25097e3d867496c1e0b1958283dfacd4cb10ff1e
MD5 hash:	b9d10f4408bf860a0a8b6243083ea0b4
humanhash:	winter-river-juliet-december
File name:	Order Inquiry List With 3D Artwork.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	902'144 bytes
First seen:	2020-08-05 07:21:38 UTC
Last seen:	2020-08-05 08:00:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:2qmSuSndpZLrOB5qYs/WrMHjzM6WfWd7Ah:vfZe5ns/hzMrfW8
Threatray	672 similar samples on MalwareBazaar
TLSH	9A152356EFDE7B00F76F313978902220A36153A554B3E7381FF7044BA83B2969096A1F
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: qq.com
Sending IP: 59.36.132.88
From: 电镀 <vcp@rtdln.com>
Subject: FW:RE:Re:【Alibaba_Inquiry_Notification】Jenny_from_Poland_has_sent_you_an_inquiry
Attachment: Order Inquiry List With 3D Artwork.zip (contains "Order Inquiry List With 3D Artwork.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.Inject3.48369.27408.8384.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Running batch commands

Creating a file

Launching a process

Creating a window

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/410355

Signature

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a95841c0ebc43b93e86d68701817f8d3401a92e9f65a8b6a8faf66de97f9bb7d/

Threat name:

ByteCode-MSIL.Trojan.Perseus

Status:

Malicious

First seen:

2020-08-05 07:23:07 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vfmedqhlyq5zh2dnnbybqf7y2nabvexj6zniw2upv5tn5f7zxn6q._file

Verdict:

unknown

Similar samples:

065011f5098f869c79ff098a104765fa08050cfef16bac98b0944108de1ebee4

0b0537b9f976c4a49f1105bc03d252c0cac7a99b9abdb1a020d2966b6a0b1285

0b59a5ffd1da84a9bf88fc0c49d758fb8288f1e9564111ec5c4f8e0ffa91940d

21cea3a243809c8cc06412ffd647e4896b35a246cf8c365484e0419477d94b37

2aa941b7340367ad780683ac45b75f8e63b4df7913b4ca6f95e794fd75b36b03

7080b4b381aa5445667f682c0b6d8a7651dfbf8c07383f9796ffd8558e506338

9d12d73cdddda4b11bbfa38b1bc056e20063a75f38decb5e8af5e6a30c078673

a4df7bd8daff5a4723055c7589244e1719c45223f09f42b06a621aad5ee1f2f4

e5caa150b119335b8b2fe8c999f8e801c1e74b010ceb58b794804ea6b4b07c61

f4bf32943d6b14bf9e025c20f0fb7342982c025ba64b151687a99202091bf2eb

+ 662 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200805-zkdjahrwxs/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/a95841c0ebc43b93e86d68701817f8d3401a92e9f65a8b6a8faf66de97f9bb7d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 8b3efee83e420509df329db90bf2e024655797605887c605f2553b3e8d4c82cf

exe a95841c0ebc43b93e86d68701817f8d3401a92e9f65a8b6a8faf66de97f9bb7d

(this sample)

Dropped by

MD5 7b372f3d021b452c648229ba49e203fd

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/39081/

Dropped by

SHA256 8b3efee83e420509df329db90bf2e024655797605887c605f2553b3e8d4c82cf

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample