MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e
SHA3-384 hash:	0238d9f7bb966b6be7ed8a9e3ed6598f0f48c61fa2badacedfc5e40550f45028d925f9cf5b67786a82a36813c7959146
SHA1 hash:	fbc866ef9042882bac75d38f61806567e22b4bb1
MD5 hash:	bb0c51c972de3ad14654d9505ca69049
humanhash:	oregon-whiskey-pip-oscar
File name:	Order 01001O02.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	638'464 bytes
First seen:	2020-10-15 11:38:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:lEHagVBFxvKHelc2n64dYuhtT//J0cNhC+1oR2Pwv:lEHauKqXvquhtrh0cNEYWuwv
Threatray	48 similar samples on MalwareBazaar
TLSH	6FD4413DADD92637C2F7D675C9E61587FA1179833126AC4E60C703420A03B6B7DC6A2E
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: condor3828.startdedicated.com
Sending IP: 148.72.158.138
From: Pablo Silvage <sales.bigfzabric@gmail.com>
Reply-To: admin@nom-uk.com
Subject: Urgent Order 01001O02
Attachment: Order 01001O02.zip (contains "Order 01001O02.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

78

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Launching a process

Enabling autorun by creating a file

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/492258

Signature

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-14 23:47:35 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ylrq675uxun6jxt2imrpfiorwseslha2ktgdoksvcshmuzanlkpa._file

Verdict:

malicious

Label(s):

masslogger

Similar samples:

1ca56622a5046a55fd09c9cdc61c262d9db3a009a88e0314e7bb9c64c973e9a7

1ef19274dbacbf0db57108d6d05f25b92eba6e563350c67bac58f07244fe54d7

28379fca654b86d91cdb606bb29ce739b5504b4392de17ecfb63d18506146ae6

35d0f7752b58898566762e5983987073ad1d6be30cfdd9a977f92cd14f48ab7c

4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf

7fd613b9b27239f8bd2aaaa338d6aef3649893befba81e7075a9ff72df8e2eae

96a8399aef7760c49b1b2fd59de6f8747f5de3bf85249c5d7e09e7499a5c097f

96b0419df5ee00bd898850a46dfe41636b6654ebb7dfe14b18d3cb6b7453f8c1

d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569

+ 38 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201015-r2rzk127j2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e

MD5 hash:

bb0c51c972de3ad14654d9505ca69049

SHA1 hash:

fbc866ef9042882bac75d38f61806567e22b4bb1

Link:

https://www.unpac.me/results/b84092c1-8cea-4a53-9e1f-a32d95a8cc4f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.97

Link:

https://yomi.yoroi.company/submissions/c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 036599494a33cab7b197f0aaa2af147c99e8526c7791c4d7aed91e8bef2ab301

exe c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e

(this sample)

Dropped by

MD5 cfcd5c8ab4988c826562453dd7eed8f0

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/71315/

Dropped by

SHA256 036599494a33cab7b197f0aaa2af147c99e8526c7791c4d7aed91e8bef2ab301

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample