MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d
SHA3-384 hash: 0e80fb4fa0dacf7c6133267ef82ef8e8e77590685023ce518c22a00338af4323123f0293b887085542a980c10839883d
SHA1 hash: 89f045dd35e0c1db8e6f17d6599eadbecf02dc9b
MD5 hash: 137f5fbd9080157bdc7048390d9d8c7c
humanhash: spaghetti-neptune-violet-friend
File name:WAY BILL.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:932'864 bytes
First seen:2020-10-16 12:41:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:jQJDuL0PTXIsy7eYmo7MnEwj3o1Tl94hB/BK:GO0PQNSnEwbo
Threatray 349 similar samples on MalwareBazaar
TLSH 7E15023523A86FA0E0BDD3BA64B0052017FAF586E335DB5C3CA952CE3956F508663B43
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: slot0.quinncornpany.com
Sending IP: 45.95.169.158
From: Ada Lei <info@marcegaglia.com>
Subject: SEA WAY BILL
Attachment: WAY BILL.r00 (contains "WAY BILL.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493627
Signature
.NET source code contains potential unpacker
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299269 Sample: WAY BILL.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for dropped file 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 10 other signatures 2->39 8 WAY BILL.exe 7 2->8         started        process3 file4 23 C:\Users\user\AppData\Roaming\XinzdF.exe, PE32 8->23 dropped 25 C:\Users\user\...\XinzdF.exe:Zone.Identifier, ASCII 8->25 dropped 27 C:\Users\user\AppData\Local\Temp\tmpEF1.tmp, XML 8->27 dropped 29 C:\Users\user\AppData\...\WAY BILL.exe.log, ASCII 8->29 dropped 41 Injects a PE file into a foreign processes 8->41 12 WAY BILL.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        signatures5 process6 process7 16 powershell.exe 17 12->16         started        19 conhost.exe 14->19         started        signatures8 31 Deletes itself after installation 16->31 21 conhost.exe 16->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 01:09:45 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpfpa5ddqpobskh6koaf3iwzxmubeptusxkiowjafjdcc7tlivwq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
08d49c14a81bc6b95397e6c0adc1efa3325fd00cd3ba6c7083353f7d93be1429
MassLogger
20fe1d90bb66801400e3f746afb2408c1f17a772282f82bf707376559395e9fa
MassLogger
5967386e3a83cb9e0066223388892aade38751662b856048184c262239411aae
MassLogger
5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99
MassLogger
69e28c099c18f7fd000440db3155e9818916f70535e10b392ae7c1fb54ba48be
MassLogger
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
MassLogger
88e157995a6f79f670bad1611fdba6514152bb1f2682e0dbc28c3e9291b8c221
MassLogger
abd47175466abe2058151e12919ca9501497dbb286909bf7896d20d59fe73ef6
MassLogger
ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
MassLogger
d38a8652771ca87506e06b24d7b6b21fd051042714faa477c7d7189c9bd94633
MassLogger
+ 339 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
stealer spyware family:masslogger
Link:
https://tria.ge/reports/201016-w8jw7tanae/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
abb155f4af81ef9f083beb3e0ba4e2b144319d501eb1146c93641da4cb08cd19
MD5 hash:
5bbad5e7e74d207618a79d0da1bc4e4b
SHA1 hash:
43f7dee57e0763d42138982b61834d39af84ee2f
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/37466795-4b45-44f9-892e-f9aac0e14220/
Parent samples :
bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d
7428f5ccb3fa2d0ba8b295efd15c9acc87674180aa1d3bf71e8b91cd0a038381
e59c36dc0598faa7351b570742be5c064d7524d2e1ac8cc12aa4a8b16abee3f4
SH256 hash:
2d7491c8bd87785bab11a35b2205176d2ee93f929851fe628ffeb27b4ca228e1
MD5 hash:
e0faadce42e14ba90688bdabb67c79e8
SHA1 hash:
6ebf8d9ce110aad99f5265e4c8beb05b9b1ce2ee
Link:
https://www.unpac.me/results/37466795-4b45-44f9-892e-f9aac0e14220/
SH256 hash:
3b727e97f7612e2a53c634e620ef18ea7438a2dbe383dee4e986de0082645f7d
MD5 hash:
456b074a96fee6dd87714a47e1b01488
SHA1 hash:
78eebe58489842c0799ba6812dbefdc63aeb1a91
Link:
https://www.unpac.me/results/37466795-4b45-44f9-892e-f9aac0e14220/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/37466795-4b45-44f9-892e-f9aac0e14220/
SH256 hash:
bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d
MD5 hash:
137f5fbd9080157bdc7048390d9d8c7c
SHA1 hash:
89f045dd35e0c1db8e6f17d6599eadbecf02dc9b
Link:
https://www.unpac.me/results/37466795-4b45-44f9-892e-f9aac0e14220/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 ce00fcfdea8167482006061fc894b02962b57fc44dcba57c51e636660bfe7392

MassLogger

Executable exe bbcaf0746383dc1928fe53805da2d9bb28123e7495d48759202a46217e6b456d

(this sample)

  
Dropped by
MD5 993bd9e50990d5d04422f1fe5157efc5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71975/
  
Dropped by
SHA256 ce00fcfdea8167482006061fc894b02962b57fc44dcba57c51e636660bfe7392

Comments