MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdfa7f1312d60c75bcd775c87616b731602bbd1c658bbe63d6069f4243c85553. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdfa7f1312d60c75bcd775c87616b731602bbd1c658bbe63d6069f4243c85553
SHA3-384 hash: 67179ff3479a05c40eac1de7eb1a408aa816f90944bec83cbb99d1561b9587a53efd10436032b9efb374665fb05fadb0
SHA1 hash: 3c72ec5a1e21349ff72f75189cb781444744132b
MD5 hash: 78232de6e3d5cde5080f46df6216bc3a
humanhash: summer-december-tango-magnesium
File name:Halkbank_Ekstre_20201019_080416_900140.pdf.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:2'071'040 bytes
First seen:2020-10-19 18:24:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:bUowIz5HMrtoitHlpFOryVWCFwfzM4TVhAPGKXYDleaK7NBpyVsK5FnXU3CCxi6R:AowCBMrtoitH/FOCWF2R2Gj
Threatray 360 similar samples on MalwareBazaar
TLSH 88A5E798755071DFC86BCE328AA85C64EA102CBA931FD207905735DDAA7EA97CF140F3
Reporter abuse_ch
Tags:exe geo Halkbank MassLogger TUR


Avatar
abuse_ch
Malspam distributing MassLogger:

HELO: halkbank.com.tr
Sending IP: 156.96.62.59
From: HALKBANK.E-EKSTRE@halkbank.com.tr
Subject: T.HALK BANKASI A.Ş. 19.10.2020 Hesap Ekstresi
Attachment: Halkbank_Ekstre_20201019_080416_900140.pdf.z (contains "Halkbank_Ekstre_20201019_080416_900140.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73090/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.16239.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495901
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdfa7f1312d60c75bcd775c87616b731602bbd1c658bbe63d6069f4243c85553/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 18:26:05 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7x5h6eys2yghlpgxoxehmfvxgfqcxpi4mwf34y6wa2pueq6ikvjq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
6030faadae8d2aa1b94b06da9c0d4ed3ce33076a1bc04218027519b1043a6a95
MassLogger
7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5
MassLogger
912600bd6e63f251f04f033d78b5bf9df23c207bef9715bdd6d4949c9f25b65c
MassLogger
b7aa7cbd8c966e98aae89ea2f4e8f485b8969f99349c9899dfbbe9a51bcd0e91
MassLogger
ba4e39e16f3599f9bfe3b5dd1664e0d071d2dfeb308e9380778c8360495f61d5
MassLogger
c7f039cff52a5c1de59fb782259f3fd2054946e9fca03d364f61c7977128dcca
MassLogger
ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d
MassLogger
f784d412a56ccd414525c22e6b2e7c9482040e89be20fdb1f2e4db0016812ea7
MassLogger
f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45
MassLogger
fc8f5c635abe5534833683141ae57470c09a246eb290895ce748d1bede405c25
MassLogger
+ 350 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:masslogger
Link:
https://tria.ge/reports/201019-w4zfyjx43e/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
MassLogger
MassLogger Main Payload
Unpacked files
SH256 hash:
fdfa7f1312d60c75bcd775c87616b731602bbd1c658bbe63d6069f4243c85553
MD5 hash:
78232de6e3d5cde5080f46df6216bc3a
SHA1 hash:
3c72ec5a1e21349ff72f75189cb781444744132b
Link:
https://www.unpac.me/results/ffeca41d-2a29-43a3-81a6-1f2cdc72f4d2/
SH256 hash:
1d2baf612476781101a44df00c908c1e50e79acbc2d4215309b9d2ada14a36a7
MD5 hash:
b8b146d7d99df4ace20ce6caf5a34d13
SHA1 hash:
1358b3afb2adc64515cab9d64e062345c85faf46
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/ffeca41d-2a29-43a3-81a6-1f2cdc72f4d2/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/ffeca41d-2a29-43a3-81a6-1f2cdc72f4d2/
SH256 hash:
d38e4c066a2960e838ec7706bc23062dd4149d1021a69b6204fefe982371bdbc
MD5 hash:
d7751cc7e7cadfcbe88399088e667e28
SHA1 hash:
f0a8cf8586c73425eec330cb357d7f7a65a7c865
Link:
https://www.unpac.me/results/ffeca41d-2a29-43a3-81a6-1f2cdc72f4d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/fdfa7f1312d60c75bcd775c87616b731602bbd1c658bbe63d6069f4243c85553

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 82988b0e4f396aad7ebbd2f4db7f76680115df3464c770b3bb394fb09204782b

MassLogger

Executable exe fdfa7f1312d60c75bcd775c87616b731602bbd1c658bbe63d6069f4243c85553

(this sample)

  
Dropped by
MD5 09f3b7f7454e8ba0f1066aa706b3ef12
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 82988b0e4f396aad7ebbd2f4db7f76680115df3464c770b3bb394fb09204782b
Cape
Cape
https://www.capesandbox.com/analysis/73090/

Comments