MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
SHA3-384 hash:	3d9479e4b4374ed7c33c1d055f73a0738391251c415abb88b2013c98cdb0a29475865df5f025c772cb0101fcefca1e36
SHA1 hash:	9cea9b6ccd3ece0b7ad8a9058cba4cd3d016a9fc
MD5 hash:	4ef03f2d952ac15ca8ab890de1be2d95
humanhash:	pluto-maine-wyoming-edward
File name:	Halkbank_Ekstre_20200916_175424_052121.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	929'792 bytes
First seen:	2020-10-07 10:49:36 UTC
Last seen:	2020-10-07 12:24:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	24576:hG1OW7HuVUtrgt0ME9lhDLKt4bf8xbqbbDLD:htWoigaRXDLKKL8RqbfH
Threatray	263 similar samples on MalwareBazaar
TLSH	B315F19C365075EFC817CA36DE686C64BA20757B531FD347A41326AC9A0EA9BCF011F2
Reporter	abuse_ch
Tags:	exe geo Halkbank MassLogger TUR

abuse_ch

Malspam distributing MassLogger:

HELO: slot0.quinncornpany.com
Sending IP: 45.95.169.158
From: HALKBANK.E-EKSTRE-alkbank.com.tr <HALKBANK.E-EKSTRE@halkbank.com.tr>
Subject: T.HALK BANKASI A.S. 01.10.2019 - 06.10.2020 Hesap Ekstresi
Attachment: Halkbank_Ekstre_20200916_175424_052121 1.r00 (contains "Halkbank_Ekstre_20200916_175424_052121.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68901/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/484026

Signature

Binary contains a suspicious time stamp

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de/

Threat name:

ByteCode-MSIL.Trojan.CryptInject

Status:

Malicious

First seen:

2020-10-07 06:51:17 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zydt7tu54m24fch6ebovx5733wp5h3ghdcbbcfw3vuey6f3knhpa._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

0ef2593d361644ba25c85b621e05c425fc5c42c272cc5dca619ce29ee19c7fc1

MassLogger

6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95

MassLogger

6441c31aeba714b924340c5a7f01daae9bfa57c7a0aeae2780c49efdb54ee9f6

MassLogger

6d9aaf59f30c370edf5921da5c9085d00c826c01af55e8dde046b08b2573d8f2

MassLogger

9f999d5b44ff7bd243bc33f8a89f504c95d6b21eef26b7b80a49715471ff43d3

MassLogger

9fb2e0b5f09a7d3d66195fbaa6e7055cba4331ca2563305fc32104c82a978aa9

MassLogger

d7b0da0e8ccc1474692b0d96320de2254fa2b033bf3c00a9d10dad95aed383ad

MassLogger

e64ff6e23ce8911e74ee402d2cc1ed3d54998a56a6fb272b50c5a87363975305

MassLogger

fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25

MassLogger

+ 253 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

spyware

Link:

https://tria.ge/reports/201007-zmvkyscff2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de

MD5 hash:

4ef03f2d952ac15ca8ab890de1be2d95

SHA1 hash:

9cea9b6ccd3ece0b7ad8a9058cba4cd3d016a9fc

Link:

https://www.unpac.me/results/b8e10acf-15e3-4bad-9340-2201ef38e9ba/

SH256 hash:

9f6a14117a3c7be6a00895df2741aeba6fd29c4e7089c2ab20684d7288d6a77b

MD5 hash:

20128fe828639acb782320b3bf9862cb

SHA1 hash:

3b933a614280a54635b18f29612386678c943fab

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/b8e10acf-15e3-4bad-9340-2201ef38e9ba/

Parent samples :

ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de
5dd8cf7e789bc36a9a069cf42247f758e8900f8913c88e5ac84328d30e6d7c99

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/b8e10acf-15e3-4bad-9340-2201ef38e9ba/

SH256 hash:

a5e09461f502c0dd40ea256c4a4751e0b8f27b0022cf55a7797a4d4759fadf5e

MD5 hash:

b54296ce63d5988d905e0756a679cc56

SHA1 hash:

d24ffaaaf63f2d373c3f1da2f1c48a17e4dc892d

Link:

https://www.unpac.me/results/b8e10acf-15e3-4bad-9340-2201ef38e9ba/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

r00 730ad49330ea42fe003ec5075421e3bd521a47055faab1bb72044b9be40856b9

MassLogger

exe ce073fce9de335c288fe205d5bf7fbdd9fd3ecc718821116dbad098f176a69de

(this sample)

Dropped by

MD5 03ca27741604b063f8029e1e09dd8d75

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 730ad49330ea42fe003ec5075421e3bd521a47055faab1bb72044b9be40856b9

Cape

https://www.capesandbox.com/analysis/68901/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample