MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc13ffa3b767641ff58d98c8df48167b55c45fb97335b4819c4af8a57af47ff1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	bc13ffa3b767641ff58d98c8df48167b55c45fb97335b4819c4af8a57af47ff1
SHA3-384 hash:	69a074b5c4fabb301765603dbeab4a9ed091f5792af650ef701126bf08d1d7393faac1b8435b57fb38f6cf0ad0b9631a
SHA1 hash:	be8af1891ecdb1d472499374f2c03e9d8f097a43
MD5 hash:	20bbb3601fca04cd5c8b094a111805eb
humanhash:	hamper-spring-alpha-minnesota
File name:	BANK SLIP.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	828'416 bytes
First seen:	2020-08-11 14:13:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:cJ8FyqSgrpiAfG9IPdN+UWSMj3wdFSGrTI1yIqaHha7nJP5gDqP3ZvxI6NU3DsOz:cJyySQAWIPGVYdFSGf+waHcBWDqP3k
Threatray	695 similar samples on MalwareBazaar
TLSH	BE05AEAC325876DEC49BCD368A6C2C50AA213C675B1FC60B601731AD5A3DB97DF112B3
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: server.linux108.papaki.gr
Sending IP: 185.138.43.36
From: Ian Walker <iwalker@multipowerproducts.com>
Reply-To: Ian Walker <iwalker@multipowerproducts.com>
Subject: RE:RECIBO DE TRANSFERENCIA BANCARIA
Attachment: BANK SLIP.zip (contains "BANK SLIP.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/43504/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.27001.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/419259

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc13ffa3b767641ff58d98c8df48167b55c45fb97335b4819c4af8a57af47ff1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-11 14:15:09 UTC

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xqj77i5xm5sb75mntden6sawpnk4ix5zom23jam4jl4kk6xup7yq._file

Verdict:

unknown

Similar samples:

045cfe04d64a1c71873d0fb2dbd1a48471f9918b1649b87ef001010dfc2a4286

09fb066f4a5fbc57b4d592a8443151578605c8a573746c3989a79bd1fa28c3a2

0ae98808b96b08f4de9c3c5cfdd54c2021c7fcd63b66965373c23a1376993831

76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4

89c1555df1aec68698da57ff4e65909c72081a3560d59e0ccdc8b150adcdf9f6

c744751ad79f737ac78fe9c69afac4c7b8940951b2fe67d20175d27e77721371

c8014126255b80593651f5fe1e69e069147866498dbb78129f775d76a0fa8682

c8174141c60baa057aa9780fdb5fe1e4af59b9d3a9d5a1d8ab7d929b13d3882b

f98b35d218026beac9f13d886758bb0712fda3dc74ae7fbc5b29ce5fb63109ab

ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35

+ 685 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200811-ts5trzkr1j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bc13ffa3b767641ff58d98c8df48167b55c45fb97335b4819c4af8a57af47ff1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 84b16561275c32c677e704e8fad8188bc020eb936e41fbab448a4ff333d83d84

exe bc13ffa3b767641ff58d98c8df48167b55c45fb97335b4819c4af8a57af47ff1

(this sample)

Dropped by

MD5 b921d78284be712b37e6c92609ec06e5

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 84b16561275c32c677e704e8fad8188bc020eb936e41fbab448a4ff333d83d84

Cape

Cape

https://www.capesandbox.com/analysis/43504/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample