MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42
SHA3-384 hash: 1a3071638922911858f43cf1737b71233727ab9474320e24af5adf86dd2f131a9d6ccb1c709b464f12758b5af58c129d
SHA1 hash: fde0db688d6abb4aad0bb646db9f1c192d980b5a
MD5 hash: 73c81dd67773b2efa5261e20adf74a5b
humanhash: fish-charlie-october-blue
File name:PAYMENT DETAILS CONFIRMATION.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'015'808 bytes
First seen:2020-09-17 05:08:34 UTC
Last seen:2020-09-17 06:04:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:8I3j32qQLhX/CUoDnbUVo2yhVx/NOMCh/zduiMxVRPXQJA:j6DhaJAMx/NOMChxp8PXg
Threatray 579 similar samples on MalwareBazaar
TLSH 1125F12222587FA7E03DA73E441911128BF3D44BE737FB5DFC8940D96D6AF8246A2742
Reporter cocaman
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Masslogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/62648/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.30923.23347.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/468757
Signature
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 286796 Sample: PAYMENT DETAILS CONFIRMATION.exe Startdate: 17/09/2020 Architecture: WINDOWS Score: 88 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected MassLogger RAT 2->24 26 Yara detected AntiVM_3 2->26 28 5 other signatures 2->28 8 PAYMENT DETAILS CONFIRMATION.exe 3 2->8         started        process3 file4 20 C:\...\PAYMENT DETAILS CONFIRMATION.exe.log, ASCII 8->20 dropped 11 PAYMENT DETAILS CONFIRMATION.exe 2 8->11         started        process5 process6 13 cmd.exe 1 11->13         started        process7 15 powershell.exe 17 13->15         started        18 conhost.exe 13->18         started        signatures8 30 Deletes itself after installation 15->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-17 02:01:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vuzmvxb2oxuwtqhiyjo75q4yg6fm5nagafyfa5r44pc5jauzr5ba._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
20be971374f0ffd1224aafed410fdb30e3340788a7dd80747dd18f3ef0f8168d
MassLogger
2dcd8c440ad89be13a989eaee911c9aa3e79d5a80c8aab4c7832a82c726bc465
MassLogger
329a2570a79a64645c307b832f6bf62abeb151c14f6f608fd1d3b806a427da9d
MassLogger
35b6e2b8511ae0552a5de87abc510205a9d52a53ca6ed78b44299a31138475c8
MassLogger
4534997b5b146c7caebb2f398e7ea0f2bbf434af23155ad13b0acd09b0487325
MassLogger
5933110e6d5714ac077e2e45c86792cb48442e48718f25fddd78d5de54487c6e
MassLogger
a2bf3f45bdc745f100e74e154249ceccf3339a09de63ebd1118b50ed7a305a9b
MassLogger
aa30ea6f5603484a2f71a0fa1429cef880ee018c6b3557ad09708dca055cbb22
MassLogger
b56dc20e7a6a6b86fb49f3802961cc8b21b75938af4de7bb55db894a8546246c
MassLogger
eb98cd837c0994df93bde2019caef785c7b7c9bfc373ca2135d928bd507bf3b3
MassLogger
+ 569 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/200917-pfb7k8esz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Maps connected drives based on registry
Checks BIOS information in registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip d24c4c9b26b2dce1de2a0797c2e46fc5f58e342930d8ced675680a250fd22ba8

MassLogger

Executable exe ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d24c4c9b26b2dce1de2a0797c2e46fc5f58e342930d8ced675680a250fd22ba8
Cape
Cape
https://www.capesandbox.com/analysis/62648/

Comments