MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9336d9a6f04d7ffaafcae2248690a05d8b8e6a21a0941d89be54c6b7a5fcbbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9336d9a6f04d7ffaafcae2248690a05d8b8e6a21a0941d89be54c6b7a5fcbbe
SHA3-384 hash: d552529d3f7f416f2fab92638758f2b24bbdb901ee634be55207d2efc7e83eadc2509834ac24b020f8b83a28c218f9be
SHA1 hash: 49728970841b3ea118fcdd0d69499cdc2d80dbb5
MD5 hash: dd2142699a20a160cb2b9b2b886f0c15
humanhash: jupiter-white-pennsylvania-arkansas
File name:TENDER 2000595399.zip
Download: download sample
Signature MassLogger
Create hunting rule
File size:547'869 bytes
First seen:2024-11-22 09:02:16 UTC
Last seen:2024-11-22 10:53:45 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:Typ7D+sOVfJkMuSwVBwZs4XZ3SyaUPwAb+IFQcV1urH6:Typ7DHOVfJkMu9cZsOZ3aWIqf
TLSH T141C4238676C28633CC74C446EF782B81D950C1DC032DA896BDDD7CD17156BBE329E2AA
Magika zip
Reporter cocaman
Tags:MassLogger QUOTATION zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Aitkuzhinov Yernur <Yernur.Aitkuzhinov@saipem.com>" (likely spoofed)
Received: "from host.feroxtechnologies.solutions (unknown [108.163.204.124]) "
Date: "22 Nov 2024 05:52:45 -0500"
Subject: "REQUEST FOR QUOTATION #2000595399| PR #11926440| FRAME AGREEMENT FOR SCANNING AND DIGITALIZING ==>SAIPEM KUWAIT BRANCH"
Attachment: "TENDER 2000595399.zip"

Intelligence

File Origin
# of uploads :
4
# of downloads :
656
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:sosoliso.exe
File size:985'088 bytes
SHA256 hash: 4d50b2d0f89dae760cd7c7aaed9a3ab180de2c4e9b8d4ef9d10e141729396716
MD5 hash: 3a97e698de8a9692656e5e53e74635d4
MIME type:application/x-dosexec
Signature MassLogger
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6740499fb31374f098336743
Tags:
autoit emotet
Result
Verdict:
Malicious
File Type:
PE File
Link:
https://app.docguard.net/e9336d9a6f04d7ffaafcae2248690a05d8b8e6a21a0941d89be54c6b7a5fcbbe/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit compiled-script fingerprint keylogger microsoft_visual_cc monero packed packed packer_detected redcap
Link:
https://www.filescan.io/uploads/674048c747b473f9c1689d42/reports/5a7767c0-e384-473e-9029-0abc170bf3cf/overview
Verdict:
Suspicious
Labled as:
Troj/AutoIt
Link:
https://www.hybrid-analysis.com/sample/e9336d9a6f04d7ffaafcae2248690a05d8b8e6a21a0941d89be54c6b7a5fcbbe
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/e9336d9a6f04d7ffaafcae2248690a05d8b8e6a21a0941d89be54c6b7a5fcbbe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9336d9a6f04d7ffaafcae2248690a05d8b8e6a21a0941d89be54c6b7a5fcbbe/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-11-22 05:57:32 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ezw3gtpatl77kx4vyreq2ikaxmlrzvcdieudwe34vggw6s7zo7a._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/241122-mfdacavmdl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9336d9a6f04d7ffaafcae2248690a05d8b8e6a21a0941d89be54c6b7a5fcbbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip e9336d9a6f04d7ffaafcae2248690a05d8b8e6a21a0941d89be54c6b7a5fcbbe

(this sample)

MassLogger

Executable exe 4d50b2d0f89dae760cd7c7aaed9a3ab180de2c4e9b8d4ef9d10e141729396716

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4d50b2d0f89dae760cd7c7aaed9a3ab180de2c4e9b8d4ef9d10e141729396716
  
Dropping
MD5 3a97e698de8a9692656e5e53e74635d4

Comments