MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f54e2a18f9a6b1f5fa144306a9ad3e277e0dfa581543c5156a6a59b644c913da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f54e2a18f9a6b1f5fa144306a9ad3e277e0dfa581543c5156a6a59b644c913da
SHA3-384 hash: 184ddbd4ed126de7f9c410516241c58b26c511cdb105b0e98f822c480bb84d34f80647662906017fd09f3e2999d112db
SHA1 hash: 17579a4ba2bb840b62dffd7c211905c297967bf2
MD5 hash: 5f7b0769ecc70adc2b32c6916050d4ab
humanhash: montana-queen-grey-papa
File name:Request for Quotation N0. 2005744.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:874'496 bytes
First seen:2020-06-24 08:27:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:BokkeNMfwMLQZQDKhjhldO12dVWVOF7Lw6hyD7zjDjN3WjYfCQ0V/KiQWHM:NNAQZQDelNdaQzhyDnjDjUswKnWHM
Threatray 1'059 similar samples on MalwareBazaar
TLSH 2E05121333ACD9A7C57C16F6C8C2A74857B219AB2A42F3C95CC035A525D7FF619222CB
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: asia.com
Sending IP: 185.222.57.136
From: unileversupply@asia.com
Subject: REQUEST FOR QUOTATION
Attachment: Request for Quotation N0. 2005744.gz (contains "Request for Quotation N0. 2005744.exe")

MassLogger SMTP exfil server:
mail.drngetu.co.za:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13600/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Reading Telegram data
Reading critical registry keys
Moving a file to the %temp% subdirectory
Deleting a recently created file
Setting a global event handler for the keyboard
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f54e2a18f9a6b1f5fa144306a9ad3e277e0dfa581543c5156a6a59b644c913da/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 08:29:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vhcughzu2y7l6quimdktlj6e57a36sycvb4kflknjm3mrgjcpna._file
Verdict:
suspicious
Similar samples:
01214329917b407fed2ff876f8867214125c6f27ada5623891253a2ee012288a
MassLogger
0137eab9ffb892bcff1aabd6bba89c41459cf49087222ebb2723c3ce5a755ad3
MassLogger
031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32
MassLogger
666b4d8521af8e8c149431fea4f3fce4d859b9d102e894928edb0e005ad8153d
MassLogger
76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4
MassLogger
7ea8e3c5414b0264c420a0d58d0807738c61aa5c1784ad0f555399b76f7ac4ca
MassLogger
851f1641fb283113cc5feb03c807bc82dc4d85ecd22ab8ff091a8edd71bb45ed
MassLogger
97b4fea61d49c93281c6a9b0e058bd747c1cc85458889ce745e577414db2a8dd
MassLogger
9a76fa2bd0df22fd79b7e38248b3a765a524070bc68175811914968c731fe6eb
MassLogger
d2ae3fabca5021b33bfa9326b06dea2cc82a56537a1d473934553bdcdfaddb74
MassLogger
+ 1'049 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware stealer spyware family:masslogger
Link:
https://tria.ge/reports/200624-4xrmtxq2j2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

gz a01bc8c3c2b23bb4fa0d6dc408d718acce32b42db2c1c723c760297a3da067ab

MassLogger

Executable exe f54e2a18f9a6b1f5fa144306a9ad3e277e0dfa581543c5156a6a59b644c913da

(this sample)

  
Dropped by
MD5 e07bbf01ebf8753774b40814c29e601a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13600/
  
Dropped by
SHA256 a01bc8c3c2b23bb4fa0d6dc408d718acce32b42db2c1c723c760297a3da067ab

Comments