MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea6283f89a072a6fc910d5e1a023dd1b5b59b11b3dc18cf4773d7e03e68b21b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	ea6283f89a072a6fc910d5e1a023dd1b5b59b11b3dc18cf4773d7e03e68b21b1
SHA3-384 hash:	2bf349f67c2b61fed3e78ec6713143e8a350e250064aefd48113956fb0c4a556667c1202e3e6b6bb0f694e886910f5be
SHA1 hash:	344e3f7370d5a888baa20e379568ab9b0f640bf7
MD5 hash:	a41b1b8e5ed4f112ae799bbe82fdb5b6
humanhash:	comet-oscar-connecticut-skylark
File name:	Halkbank.pdf.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'236'992 bytes
First seen:	2020-11-05 10:19:04 UTC
Last seen:	2020-11-05 11:51:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:KgRzBk3OTRZNNpF9IhuDs05WjFfKwG6kKKBzyqzbVsf:KgPTTN/jKus5fKwG6kKKBOQbVw
Threatray	473 similar samples on MalwareBazaar
TLSH	6245D0F66386DB6AC80F043FF84B256193D9CB2E99F9844646C5B11917BC3CE56AC0CB
Reporter	abuse_ch
Tags:	exe geo Halkbank MassLogger TUR

abuse_ch

Malspam distributing MassLogger:

HELO: server.teknofirst.com
Sending IP: 185.171.90.167
From: HALKBANK.E-EKSTRE@halkbank.com.tr
Subject: T.HALK BANKASI A.Ş. 05.11.2020 Hesap Ekstresi
Attachment: Halkbank.pdf.r00 (contains "Halkbank.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/83216/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.58565.26377.9303.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Deleting of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/521307

Signature

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Deletes itself after installation

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea6283f89a072a6fc910d5e1a023dd1b5b59b11b3dc18cf4773d7e03e68b21b1/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2020-11-05 08:15:19 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jrih6e2a4vg7siq2xq2ai65dnnvtmi3hxayz5dxhv7ahzulegyq._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

74c4b80dac4f93d030f93df8f89b5c5321330a5b28243bd2020eb64f0b3bed62

MassLogger

88801297a310f88fd29cf5b1e9066eee829a6bf43fe65108f4bc64932b1e845b

MassLogger

ac0ca89c2e434d4128516896f5563003a1179583181d0d1fd06754f06ab4deed

MassLogger

c58a7945058bbff6a2bf9aed5ba18ae7aa69cdd935fdafd6df4873680dc8a49b

MassLogger

c930deb75ebc8fd117d585898358df69af8ce6ffe9569ef5f47ad9fc6f26d01e

MassLogger

ca18e92f0eb610f92ce008b708acdca5969f308e319f5f128099514948dbd808

MassLogger

cc2cc617d2d0f4b909be15f9720cdd9bdeade5fafe2b0c02eee852b15d33d366

MassLogger

d98beb65dff0d8e1963f1cc7df755e273bbe45c8143b556bc9a84bcfd0cdea78

MassLogger

f6c28a76b12ddb94037c6cac0426ba87fb3201634731b901f66aecc15d5a98be

MassLogger

+ 463 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger persistence spyware stealer

Link:

https://tria.ge/reports/201105-gclpt5n6wj/

Behaviour

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

ea6283f89a072a6fc910d5e1a023dd1b5b59b11b3dc18cf4773d7e03e68b21b1

MD5 hash:

a41b1b8e5ed4f112ae799bbe82fdb5b6

SHA1 hash:

344e3f7370d5a888baa20e379568ab9b0f640bf7

Link:

https://www.unpac.me/results/f342474b-5fa4-4480-a682-8c20c2dfc73e/

SH256 hash:

34ab9fa3a2d93b711bbfda533828afdd08542aa222239709ed849ce9f091f47b

MD5 hash:

59d8d9f4adb53cd79a17514c09364e09

SHA1 hash:

1b7973f0465dc5a27aaa9e727132783121f9ca50

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/f342474b-5fa4-4480-a682-8c20c2dfc73e/

Parent samples :

c930deb75ebc8fd117d585898358df69af8ce6ffe9569ef5f47ad9fc6f26d01e
ea6283f89a072a6fc910d5e1a023dd1b5b59b11b3dc18cf4773d7e03e68b21b1

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/f342474b-5fa4-4480-a682-8c20c2dfc73e/

SH256 hash:

53fe0076b21f81f360b22b2a6ea4301cb63db805d430460da88788d26c26876e

MD5 hash:

262b2e3544b030228685e20527eea435

SHA1 hash:

b985dc65c934246a6814bdde25150148a24f2d2a

Link:

https://www.unpac.me/results/f342474b-5fa4-4480-a682-8c20c2dfc73e/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

dd65806afcc4916e7eba1cae302d69d6

MassLogger

exe ea6283f89a072a6fc910d5e1a023dd1b5b59b11b3dc18cf4773d7e03e68b21b1

(this sample)

Dropped by

MD5 dd65806afcc4916e7eba1cae302d69d6

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/83216/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample