MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f98b35d218026beac9f13d886758bb0712fda3dc74ae7fbc5b29ce5fb63109ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	f98b35d218026beac9f13d886758bb0712fda3dc74ae7fbc5b29ce5fb63109ab
SHA3-384 hash:	256400d61cb2e9164bd95decba541937a1ce674f201a7f25183472bb7fe70c3c944243f2fa0ec9145d180ea2a7ae47f7
SHA1 hash:	b02ccd068ac1120873abd28f1d9e356417bfbc11
MD5 hash:	c1bc6e48612fc775cf6bdcb6cb037f87
humanhash:	autumn-autumn-michigan-single
File name:	7xzfZF3ytRSjYKH.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	782'848 bytes
First seen:	2020-08-13 05:53:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:ZKjqfZn5MD6MT2YoorvnG54zvPhiA+ERMJoQ5A2aEPFFCpO+j4VB:ZKjqXMD662OauzHhPeOQ5A21PniY
Threatray	521 similar samples on MalwareBazaar
TLSH	A7F4013037EA2A85C36D0EB6556310405BB9352BFF55D34E2D8972ED083AB357281FAB
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing unidentified malware:

HELO: server.linux108.papaki.gr
Sending IP: 185.138.43.36
From: Ian Walker <iwalker@multipowerproducts.com>
Reply-To: Ian Walker <iwalker@multipowerproducts.com>
Subject: RE:RECIBO DE TRANSFERENCIA BANCARIA
Attachment: Bank Slip..zip (contains "7xzfZF3ytRSjYKH.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44814/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.9319.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Deleting of the original file

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/425114

Signature

Deletes itself after installation

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f98b35d218026beac9f13d886758bb0712fda3dc74ae7fbc5b29ce5fb63109ab/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-13 05:55:06 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7gftluqyajv6vsprhwegowf3a4jp3i64osxh7pc3fhhf7nrrbgvq._file

Verdict:

unknown

Similar samples:

045cfe04d64a1c71873d0fb2dbd1a48471f9918b1649b87ef001010dfc2a4286

09fb066f4a5fbc57b4d592a8443151578605c8a573746c3989a79bd1fa28c3a2

0ae98808b96b08f4de9c3c5cfdd54c2021c7fcd63b66965373c23a1376993831

76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4

89c1555df1aec68698da57ff4e65909c72081a3560d59e0ccdc8b150adcdf9f6

bc13ffa3b767641ff58d98c8df48167b55c45fb97335b4819c4af8a57af47ff1

c744751ad79f737ac78fe9c69afac4c7b8940951b2fe67d20175d27e77721371

c8014126255b80593651f5fe1e69e069147866498dbb78129f775d76a0fa8682

c8174141c60baa057aa9780fdb5fe1e4af59b9d3a9d5a1d8ab7d929b13d3882b

ff0b197ef34800ad007a5caedaf485af5ae523343ce8ec106d3a253d2c0a4a35

+ 511 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

ransomware spyware stealer family:masslogger

Link:

https://tria.ge/reports/200813-v3dpns39hx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f98b35d218026beac9f13d886758bb0712fda3dc74ae7fbc5b29ce5fb63109ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 7494beb1fee29665bd22f4d346c00a5ffc443f55115d9bc4127144073f5213e4

exe f98b35d218026beac9f13d886758bb0712fda3dc74ae7fbc5b29ce5fb63109ab

(this sample)

Dropped by

MD5 e5fa698a939d08c86c28e9c20a0d07c5

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/44814/

Dropped by

SHA256 7494beb1fee29665bd22f4d346c00a5ffc443f55115d9bc4127144073f5213e4

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample