B3gkHhPlWv3DOsB.exe

General
Target

B3gkHhPlWv3DOsB.exe

Filesize

845KB

Completed

16-06-2020 20:53

Score
10 /10
MD5

35a5963bfb1fa8b5e3851378959ac522

SHA1

b1c035b8221c06e14311eda738df7e28a6559514

SHA256

77b7fa89c446b127b0c1d8ad0c5dc5fb57c8121dd3c40a67b77e5c0a35d75114

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\Temp\E2C1E8F1FA\Log.txt
Family masslogger
Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 6/16/2020 8:52:55 PM MassLogger Started: 6/16/2020 8:52:49 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:
Signatures 11

Filter: none

Collection
Credential Access
Persistence
  • Suspicious use of WriteProcessMemory
    B3gkHhPlWv3DOsB.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 900 wrote to memory of 1868900B3gkHhPlWv3DOsB.exeschtasks.exe
    PID 900 wrote to memory of 1868900B3gkHhPlWv3DOsB.exeschtasks.exe
    PID 900 wrote to memory of 1868900B3gkHhPlWv3DOsB.exeschtasks.exe
    PID 900 wrote to memory of 1868900B3gkHhPlWv3DOsB.exeschtasks.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
    PID 900 wrote to memory of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
  • Suspicious behavior: EnumeratesProcesses
    B3gkHhPlWv3DOsB.exe

    Reported IOCs

    pidprocess
    1384B3gkHhPlWv3DOsB.exe
    1384B3gkHhPlWv3DOsB.exe
  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

    Reported IOCs

    yara_rule
    masslogger_log_file
  • Suspicious use of SetWindowsHookEx
    B3gkHhPlWv3DOsB.exe

    Reported IOCs

    pidprocess
    1384B3gkHhPlWv3DOsB.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • Suspicious use of SetThreadContext
    B3gkHhPlWv3DOsB.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 900 set thread context of 1384900B3gkHhPlWv3DOsB.exeB3gkHhPlWv3DOsB.exe
  • Suspicious use of AdjustPrivilegeToken
    B3gkHhPlWv3DOsB.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1384B3gkHhPlWv3DOsB.exe
  • Suspicious behavior: AddClipboardFormatListener
    B3gkHhPlWv3DOsB.exe

    Reported IOCs

    pidprocess
    1384B3gkHhPlWv3DOsB.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    6api.ipify.org
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1868schtasks.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe
    "C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe"
    Suspicious use of WriteProcessMemory
    Suspicious use of SetThreadContext
    PID:900
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cExnKKQoq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp730.tmp"
      Creates scheduled task(s)
      PID:1868
    • C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: AddClipboardFormatListener
      PID:1384
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\tmp730.tmp

                    • memory/900-1-0x0000000000000000-0x0000000000000000-disk.dmp

                    • memory/1384-3-0x0000000000400000-0x00000000004A8000-memory.dmp

                    • memory/1384-5-0x0000000000400000-0x00000000004A8000-memory.dmp

                    • memory/1384-4-0x0000000000400000-0x00000000004A8000-memory.dmp