MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f933824c34258a344750486cb998d303aba7dcaad0dec1e12ea59929b3703dd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f933824c34258a344750486cb998d303aba7dcaad0dec1e12ea59929b3703dd3
SHA3-384 hash: 6c5e9f040a97eb1efe28ea06f18e35948edbb7027c414d537bac4c98e0af4024cbd48a6502bf994f2cc2865c2827d40e
SHA1 hash: f42df0f759e1bec33ff50d2a262aee7f78b8b719
MD5 hash: da855a2177854deeeae07f99a3c38ac0
humanhash: papa-seven-glucose-black
File name:T HALK BANKASI A Åž 10 05 2020 10 09 2020 Hesap Ekstresi.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'158'144 bytes
First seen:2020-10-10 06:59:21 UTC
Last seen:2020-10-10 08:04:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:YF6qg4kqehFSgWZPaqovkPTjCU/cQLBQGd/Ar5:YjcqcSV4xk7a6mg
Threatray 911 similar samples on MalwareBazaar
TLSH 0035E1C46148B8EEC0576A706C3AAE70052EBFF923218109390737678977E576A5FC9F
Reporter abuse_ch
Tags:Endurance exe geo Halkbank MassLogger TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gproxy8-pub.mail.unifiedlayer.com
Sending IP: 67.222.33.93
From: halkbank.e-ekstre@halkbank.com.tr <support@digitalera.co.in>
Subject: T.HALK BANKASI A.Ş. 10.05.2020 - 10.09.2020 Hesap Ekstresi
Attachment: T HALK BANKASI A Åž 10 05 2020 10 09 2020 Hesap Ekstresi.rar (contains "T HALK BANKASI A Åž 10 05 2020 10 09 2020 Hesap Ekstresi.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69705/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Setting a global event handler for the keyboard
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487429
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f933824c34258a344750486cb998d303aba7dcaad0dec1e12ea59929b3703dd3/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 00:27:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ezyetbuewfdir2qjbwltggtaov2pxfk2dpmdyjouwmstm3qhxjq._file
Verdict:
unknown
Similar samples:
213be9dcf549c1f170df21b37fd93ac8174cae220dc21872bab3bdbfcdcce66e
MassLogger
408b676c05cde3623e9271d39c20ec19aaa9ad9882db0f08451442379409be99
MassLogger
52cdd546546dd2aa15246f96b2d779b27656e72b7730282ed6e92c14aa978d77
MassLogger
8e6f297527e6eb70b658b01c08cf16d6e88a1d5716eaf2f3162ab5b972112ba9
MassLogger
a2c689776ac0293d25b03d0c864f9c5a5314d06da7a126682350939196eb16e6
MassLogger
df7c4243f9b8c7087628a1d52e81341e588e58695dfea9c02202266537e10540
MassLogger
df9b3d41a51bfe74090579138acaf0e2b6745c24f3625f3e3c6a4f6da00e2074
MassLogger
dfa5e1f893c313deda7e7ea47512b756a21bba962e07cb21248b9abbdaadf3a4
MassLogger
f924ed04e2ce70872e8e341379288a15579ade521df2e4d248054fe2d9357ee2
MassLogger
f939baf20921d0b9ed165d3339a3a316628ffe4907e73a7f99fb2b0d8e246928
MassLogger
+ 901 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201010-j5tk87qq1a/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
f933824c34258a344750486cb998d303aba7dcaad0dec1e12ea59929b3703dd3
MD5 hash:
da855a2177854deeeae07f99a3c38ac0
SHA1 hash:
f42df0f759e1bec33ff50d2a262aee7f78b8b719
Link:
https://www.unpac.me/results/a3d1f7ab-a371-4c3e-9f56-ffa2f8bec2e1/
SH256 hash:
1bc4417a8a2910a1a21656421323555353c1d6374b33969cfd9bf3c3fa515dae
MD5 hash:
b64af521648efef278432a3f89e30332
SHA1 hash:
3aa928ec62347ce34868b8bdbe15442a72f6fa65
Link:
https://www.unpac.me/results/a3d1f7ab-a371-4c3e-9f56-ffa2f8bec2e1/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/a3d1f7ab-a371-4c3e-9f56-ffa2f8bec2e1/
SH256 hash:
3fbf00f25e41e3c47fee2b636dbc9f0438905cbef90b96644a241ff0bf72bde9
MD5 hash:
121e49b7a8aace94edf65b314dd071c0
SHA1 hash:
f6a46a70f199293063bf0a610580f68e30038895
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/a3d1f7ab-a371-4c3e-9f56-ffa2f8bec2e1/
Parent samples :
ad17d05d9bf7bb701bee55b078a0608a038e44a3c1c24b06b3eea34bfcdb280c
2d9767641256c44bceb6d6c684e76d72245750d1174408ef34e5d35185d4cadb
f933824c34258a344750486cb998d303aba7dcaad0dec1e12ea59929b3703dd3
e88ad7550181bf69efc96480a3b95ed329b47b60c9cb8b92720d0bfffcee6142
97f116dcd4a161a4265ccaf07dc12acec0e3e4a3af4216ba95f5f63c80a06fcd
4d4579f75cc3cb0a8c30ee234275dbb119dce187b4a490dff954d405caeeeb66
830a35f0de3ba2f90f79bca1d31b28026305edc8c25bc370ba90a9e8ef893b11
30920f99abe5eed123d3da56f24aca831bcc33e8e91548ef4bb3bc265f412fc2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/f933824c34258a344750486cb998d303aba7dcaad0dec1e12ea59929b3703dd3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

rar 5571c3dffe6654324e0946cc08db027ed4a5889e7a766f68786c8d6612c56b74

MassLogger

Executable exe f933824c34258a344750486cb998d303aba7dcaad0dec1e12ea59929b3703dd3

(this sample)

  
Dropped by
MD5 fe94d115ce3dd02d535c739876f8561e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5571c3dffe6654324e0946cc08db027ed4a5889e7a766f68786c8d6612c56b74
Cape
Cape
https://www.capesandbox.com/analysis/69705/

Comments