MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe1ba0870e9e6cf4e63c5775a66bc3e0cb91d30e24294d06c0037b68e701ad9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe1ba0870e9e6cf4e63c5775a66bc3e0cb91d30e24294d06c0037b68e701ad9d
SHA3-384 hash: e8c68875561f22d96cf0f7d2d526e6b3822702c90b7397524aebcbf40634d2a58702645019837f12053b244189ac1bbf
SHA1 hash: 5336db5b11b6840a4f3dbf145ad7373c5f485c0b
MD5 hash: 8f1c715ad9dba5d76806ffd55243a7a2
humanhash: skylark-black-september-apart
File name:DUE INVOICES.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:508'416 bytes
First seen:2020-10-20 08:05:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:63chGEtLNRtYM5HRVeR36vqE7kMy0kNncL3Tz37JX8tRCCimvPIp5VdH:63OGE7YM5HfW36vh7
Threatray 132 similar samples on MalwareBazaar
TLSH 83B41F3CADE52637C2B6D675D9E5119BFA1578833126AC4DA1C703520F03BA77EC222E
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: flomicgroup.com
Sending IP: 103.99.1.143
From: "Hovnan Garabedian" <nitinz@flomicgroup.com>
Subject: SOA - PAYMENT FOLLOW UP
Attachment: DUE INVOICES.zip (contains "DUE INVOICES.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73297/
Detection(s):
SecuriteInfo.com.Artemis8F1C715AD9DB.32131.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/497231
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300782 Sample: DUE INVOICES.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 64 23 Machine Learning detection for sample 2->23 25 Machine Learning detection for dropped file 2->25 27 Initial sample is a PE file and has a suspicious name 2->27 29 3 other signatures 2->29 7 DUE INVOICES.exe 16 5 2->7         started        11 vlc.exe 14 3 2->11         started        13 vlc.exe 2 2->13         started        process3 file4 19 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->19 dropped 21 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 7->21 dropped 31 Adds a directory exclusion to Windows Defender 7->31 15 powershell.exe 24 7->15         started        signatures5 process6 process7 17 conhost.exe 15->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe1ba0870e9e6cf4e63c5775a66bc3e0cb91d30e24294d06c0037b68e701ad9d/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 08:02:07 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7yn2bbyotzwpjzr4k522m26d4dfzduyoequu2bwaan5wrzybvwoq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
MassLogger
1ca56622a5046a55fd09c9cdc61c262d9db3a009a88e0314e7bb9c64c973e9a7
MassLogger
25565e82a4ff19e43439a8188345ec8ad8d3538529dec10764c9ffba163ceb6c
MassLogger
4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c
MassLogger
6147c0c4f1176427ee8cd49355313608c1b18d0a8080dc53319a7b3eb2f83b02
MassLogger
7fd613b9b27239f8bd2aaaa338d6aef3649893befba81e7075a9ff72df8e2eae
MassLogger
96a8399aef7760c49b1b2fd59de6f8747f5de3bf85249c5d7e09e7499a5c097f
MassLogger
c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e
MassLogger
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
MassLogger
fc87713edf4f4aa23cf04040a4f47604550b4ca2da324c0c3daf4fdcac6fa17f
MassLogger
+ 122 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201020-7dyllszzpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
fe1ba0870e9e6cf4e63c5775a66bc3e0cb91d30e24294d06c0037b68e701ad9d
MD5 hash:
8f1c715ad9dba5d76806ffd55243a7a2
SHA1 hash:
5336db5b11b6840a4f3dbf145ad7373c5f485c0b
Link:
https://www.unpac.me/results/930f1c37-8bea-4b36-91d1-83070c669b62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/fe1ba0870e9e6cf4e63c5775a66bc3e0cb91d30e24294d06c0037b68e701ad9d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 9b20a79bbcd7f5d7e981ab996160812e1f3f54ac809950629f1f437f5a866d70

MassLogger

Executable exe fe1ba0870e9e6cf4e63c5775a66bc3e0cb91d30e24294d06c0037b68e701ad9d

(this sample)

  
Dropped by
MD5 c3bc4211552a92ee3a5bd876961bab4e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73297/
  
Dropped by
SHA256 9b20a79bbcd7f5d7e981ab996160812e1f3f54ac809950629f1f437f5a866d70

Comments