MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d
SHA3-384 hash: 99f52d4ca1f7602ae18d62cc0e4eb49e669a22f07ef0c4591832e9f7ff6d99fbeecd8153cff5ebe14241e439d195c3a5
SHA1 hash: 57be16661ce6438c2ed0d0cfe76ea99aad1da06d
MD5 hash: 518235907db3235724e31c40943c369c
humanhash: golf-massachusetts-berlin-fanta
File name:DOC11022012.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:816'128 bytes
First seen:2021-02-11 07:56:01 UTC
Last seen:2021-02-11 10:09:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:HpcfwkD4odwN97VLzQi3Wv3QlT7e5FHZJfTqHvXBPpJVnaSjw2BDiOoNeX6dC6h:mfwFWw/7tjoQlT70fmHvx7MSOOohFh
Threatray 609 similar samples on MalwareBazaar
TLSH A405226CF2114921CBBD03FED56172582333A5A775D1E3049DE012BFDFBA3E2421AA96
Reporter abuse_ch
Tags:exe geo isbank MassLogger TUR


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: hosted-by.rootlayer.net
Sending IP: 45.137.22.52
From: Türkiye Is Bankasi <ortakservismerkezi@isbank.com.tr>
Subject: Banka Bildirimi Tarih: 11/2/2021
Attachment: DOC11022012.UUE (contains "DOC11022012.exe")

MassLogger SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOC11022012.exe
Verdict:
Malicious activity
Analysis date:
2021-02-11 08:01:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2fc412a3-648f-4ec8-a573-9336bdcbcd7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
MassLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116686/
Detection(s):
SecuriteInfo.com.Artemis518235907DB3.14462.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% subdirectories
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/605441
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Bypasses PowerShell execution policy
Drops PE files to the startup folder
May check the online IP address of the machine
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351757 Sample: DOC11022012.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 88 44 Yara detected MassLogger RAT 2->44 46 .NET source code contains method to dynamically call methods (often used by packers) 2->46 48 May check the online IP address of the machine 2->48 50 3 other signatures 2->50 7 DOC11022012.exe 2 2->7         started        9 I$s#$lT3ssl.exe 2 2->9         started        process3 process4 11 InstallUtil.exe 15 5 7->11         started        15 powershell.exe 15 7->15         started        18 InstallUtil.exe 9->18         started        20 powershell.exe 17 9->20         started        22 InstallUtil.exe 9->22         started        dnsIp5 32 smtp.yandex.ru 77.88.21.158, 49747, 587 YANDEXRU Russian Federation 11->32 34 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.252.4, 49717, 80 AMAZON-AESUS United States 11->34 40 3 other IPs or domains 11->40 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->52 54 Tries to steal Mail credentials (via file access) 11->54 56 Tries to harvest and steal browser information (history, passwords, etc) 11->56 28 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 15->28 dropped 58 Drops PE files to the startup folder 15->58 60 Powershell drops PE file 15->60 24 conhost.exe 15->24         started        36 54.235.142.93, 49726, 80 AMAZON-AESUS United States 18->36 38 192.168.2.1 unknown unknown 18->38 42 2 other IPs or domains 18->42 30 C:\Users\user\AppData\Local\Temp\...\Log.txt, ASCII 18->30 dropped 26 conhost.exe 20->26         started        file6 signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d/
Threat name:
Win32.Spyware.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 09:36:34 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jooegpncpwrwsrnivd5phevhvfbfybua6gj5dkp6ydd7h3rgeoq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
29285c1e0f58e12ace807098090275535b37d6faf0379372b4ae41299cca5c3f
MassLogger
2a5bce88201c08a0bda97ea99db198b3a278b4f42c4ff7d0defb82b38b93d180
MassLogger
2f4fc1a5a5dccb324dcfac0022a391260fec5b2f2620b52d884f2b853a9a4471
MassLogger
36bb4745d0a342a57dbd7c668aed07e956ff166df4864e21b0770e790f734acc
MassLogger
3ab0c6de3d72133e9f3cf89b5d6c6bf7feebeaa273a3492aa051d1cc2fde6a33
MassLogger
3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12
MassLogger
4261bcf1395fcd6fd3bfa28d5427d88ea43e186c5497d8a98d195a599dd197e9
MassLogger
4f7ce008febd9fe224c7a7cec7d8abf8c0db3611fd14d8aca135041d21d2b45c
MassLogger
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
MassLogger
d25dcb3b16529c18136847b6e4b1ce35f63f29d28722a8030fb47eaaf11f5363
MassLogger
+ 599 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger ransomware spyware stealer
Link:
https://tria.ge/reports/210211-89zf5xbk1x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
MassLogger
MassLogger Main Payload
MassLogger log file
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/94328214-81f5-43fe-8a4b-0966c2ef6a38/
SH256 hash:
7021fd574398d842fe6645ad474e78922377ea66e6cce15287ef61add89ae95b
MD5 hash:
44340d1cf44f5f1f4c46f2d75ef1c716
SHA1 hash:
ee4aefa2a2509e8f6aa087539f03ccc6d4a48b4c
Link:
https://www.unpac.me/results/94328214-81f5-43fe-8a4b-0966c2ef6a38/
SH256 hash:
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
MD5 hash:
daec8d2a480411ff1f82b24af4ac7cdf
SHA1 hash:
c61b695772de84df8508b9a740437db3a6da417d
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/94328214-81f5-43fe-8a4b-0966c2ef6a38/
Parent samples :
9f86ac872435f541b72bd8da2719337f399b02ef8740a04f071b9044ae6ed397
3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12
d25dcb3b16529c18136847b6e4b1ce35f63f29d28722a8030fb47eaaf11f5363
fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d
c102f6eeb3bc1106d4201200ca09a72f9b044448d1087db2568078489962563a
48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9
SH256 hash:
fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d
MD5 hash:
518235907db3235724e31c40943c369c
SHA1 hash:
57be16661ce6438c2ed0d0cfe76ea99aad1da06d
Link:
https://www.unpac.me/results/94328214-81f5-43fe-8a4b-0966c2ef6a38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MassLogger
Create hunting rule
Author:kevoreilly
Description:MassLogger
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 8ce77726474903d5cc85d565749c8dfc6af4ce014e94f2051b39a229a7cda5e2

MassLogger

Executable exe fa5ce219ed13ed1b4a2d4547d79c953d4a12e034078c9e8d4ff6063f9f71311d

(this sample)

  
Dropped by
MD5 34a0a6240ffd28e86212cf3be9b4d71c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116686/
  
Dropped by
SHA256 8ce77726474903d5cc85d565749c8dfc6af4ce014e94f2051b39a229a7cda5e2

Comments