MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f38bf49d1b80576d1df0cea02b590d52b16dfd03acfa6f9776fb010bd88ec38d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	f38bf49d1b80576d1df0cea02b590d52b16dfd03acfa6f9776fb010bd88ec38d
SHA3-384 hash:	03a5f9ba429014ba648b292eac00b462726cd034e3ef2e2ec9da3c87a1898369e9c4fddb19f9fb8700fb0f7fe3f71e54
SHA1 hash:	52fae0a23be2b93f3d8954bcdae95a1daeb6914e
MD5 hash:	b8681b59671bbc3bfdf4b983f913bf6f
humanhash:	pizza-pennsylvania-mirror-november
File name:	CHANG_10928748.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'382'912 bytes
First seen:	2020-08-04 10:50:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:DO6IYxPewVfURuRIr34dDvwXswSoEPuSQN9DIsxf44ZlgV:rIPwRGr4pwXswbBSQNFIsNjgV
Threatray	745 similar samples on MalwareBazaar
TLSH	B355CFC5F5C059D9D81A493B4C327C918B336C2B9F028E023C9DB6596BBB5865E34B8F
Reporter	abuse_ch
Tags:	exe MassLogger Yahoo

abuse_ch

Malspam distributing MassLogger:

HELO: sonic312-21.consmr.mail.sg3.yahoo.com
Sending IP: 106.10.244.211
From: Angolan Semba <sangolansemba@yahoo.com.sg>
Subject: : Fwd: Wire Transfer Payment
Attachment: CHANG_10928748.rar (contains "CHANG_10928748.exe")

MassLogger SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38507/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/409304

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f38bf49d1b80576d1df0cea02b590d52b16dfd03acfa6f9776fb010bd88ec38d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-04 10:52:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6of7jhi3qblw2hpqz2qcwwinkkyw37idvt5g7f3w7maqxweoyogq._file

Verdict:

unknown

MassLogger

4afbf197b53084d8d3d79ffe791e17b5d4dcddec2b77a531cf33ffd54f3f64d0

MassLogger

4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea

MassLogger

8f8324aa2244c6ecc4369ef6e5ea25b405ecf48aef96e34cc04c56f6ad240ade

MassLogger

96af26169543b638599cd1c9e7b236572c5cdab29c844d7e824b30f0a2cbab16

MassLogger

a551bc2327862c1430dac51dce368001622525fae235ca689f7b055e0d3125c7

MassLogger

acef143204e66bd0ef761c302176d61d547b9bfd78960c7607a9863bdafaae19

MassLogger

bcd7372fd84fe78e97a72a842df6cab2a5d7a47909a3fd05b13f6f4990de8a7f

MassLogger

ebcea3b90af00f67983ebb15abec7e46a480818904a74764aab402da08d7b16b

MassLogger

f9780f06f0da7544e13584ce58e03ccb796326b01dc2d05f5f5917aa461710be

MassLogger

+ 735 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware stealer spyware family:masslogger

Link:

https://tria.ge/reports/200804-3d5edyfp9e/

Behaviour

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger log file

MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f38bf49d1b80576d1df0cea02b590d52b16dfd03acfa6f9776fb010bd88ec38d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.