MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fba68e2814abacdbe354eb421f5fd731a64cf8410b9ded4e914373a7863c2e99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fba68e2814abacdbe354eb421f5fd731a64cf8410b9ded4e914373a7863c2e99
SHA3-384 hash: 327739f52f5402c3e5aa98e5435943a6a75792b73c2ecd40b53a01b2874f5d2611cbfa5641be778ec0310c5f8c8651ae
SHA1 hash: 7ce3ba3cf6b124125b2da19109e9ea0dc48be4b9
MD5 hash: 0ea58048397685461c50d29255cd32ac
humanhash: diet-red-iowa-asparagus
File name:26-11-20_Dhl_Signed_document-pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:5'587'360 bytes
First seen:2020-11-27 14:09:21 UTC
Last seen:2020-11-27 15:46:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:d18tHFHDIdDRFey//pkUyfKtHYgLwzoQciVUkLlIhx/YrStOMHk:EVFHsney//v3lYgCoQemlITz6
Threatray 154 similar samples on MalwareBazaar
TLSH FE4633C9808C799AC41780F4ED38FE11341FBE8DA175595AB823E46FDA732936266D0F
Reporter James_inthe_box
Tags:exe MassLogger

Code Signing Certificate

Organisation:DigiCert Assured ID Root CA
Issuer:DigiCert Assured ID Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 0CE7E0E517D846FE8FE560FC1BF03039
Intelligence: 22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105815/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549382
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fba68e2814abacdbe354eb421f5fd731a64cf8410b9ded4e914373a7863c2e99/
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 03:17:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oti4kauvownxy2u5nbb6x6xggtez6cbboo62turinz2pbr4f2mq._file
Verdict:
malicious
Similar samples:
12e2fade9c6f17595717385e99c97a448e87bbbb6a7a30ea2c31062983f4c065
MassLogger
546b14e45dad5ac436d7c928dc8e325082eacf2bd329a6f21648f37a37fe507d
MassLogger
59a680dd944269f001e9cd0c64baf199ca8fb8673caa18e7faf9cddc6562861e
MassLogger
6c7219ce0b85bcda4ea4fed96e66f08e2621463ac3bc1da55a108af0b35758c0
MassLogger
812cab79f178c577ea0fa8541ef9d34cb7688277c55b96f5e61c91c8da4bccfc
MassLogger
86b4bb9ea11ac97ecf7390c0e4e2979b69c294c22c65931ff734926c9540a0fd
MassLogger
8d66edd777191f1972fee3bbd11950bca3af608a2e3f3392c4c778a1ab991ec3
MassLogger
b2e5c043068bc3ec4be61c4884722589649aceef5adfb5c3a0e84a4172554e1c
MassLogger
b78c057366525777ab931d9a4a2962a2df499a6690aae1f3e215097d5adbb458
MassLogger
e95d8b2d7c80f9b47d7c3fb368256962c357404e85f45701a473b6354ca18133
MassLogger
+ 144 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger persistence spyware stealer
Link:
https://tria.ge/reports/201127-3ssdzp4s86/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
5e0de4108c5ea04b22e6b15e345a2fc91b8abe7cf60da8c279a6b0cf4b28a42a
MD5 hash:
559c1f739f9ea5078ec1d6c5984bc6db
SHA1 hash:
a00894ed0524638b60a159e6a93474c26d3ada8b
Link:
https://www.unpac.me/results/7fbca76e-c8b1-486e-aa3e-4000637f93ca/
SH256 hash:
57232ffa4d5038315340a225d6933004d07c310d05f206d3a9ddf3d35194c4a3
MD5 hash:
5e0dccbbd4dc2e29ce9136be697a7691
SHA1 hash:
93b49b42fd875da2a5533a8c8ca88efa909d650e
Link:
https://www.unpac.me/results/7fbca76e-c8b1-486e-aa3e-4000637f93ca/
SH256 hash:
c9e3fcab2a8f42bd28c169c28d6dc64a58d69dd99f7f8a8223438109cf9b76c4
MD5 hash:
3936282a5e073d026ab021f97f23c46e
SHA1 hash:
0f1e26652cd51b84403fc0d02c34b7cf2d2f3b64
Link:
https://www.unpac.me/results/7fbca76e-c8b1-486e-aa3e-4000637f93ca/
SH256 hash:
fba68e2814abacdbe354eb421f5fd731a64cf8410b9ded4e914373a7863c2e99
MD5 hash:
0ea58048397685461c50d29255cd32ac
SHA1 hash:
7ce3ba3cf6b124125b2da19109e9ea0dc48be4b9
Link:
https://www.unpac.me/results/7fbca76e-c8b1-486e-aa3e-4000637f93ca/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/105815/

Comments