Overview

overview

10

Static

static

b3b7c25b19...4f.exe

windows7_x64

10

b3b7c25b19...4f.exe

windows10-2004_x64

5

Analysis

  • max time kernel
    4294178s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    26-03-2022 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe

  • Size

    1.2MB

  • MD5

    d07a09607469ef8691d34d81376125cc

  • SHA1

    6b5fa836c06af55cdd45d257718f24723f280b1d

  • SHA256

    b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f

  • SHA512

    1791eb8143bbf0060d38590a723d8b96bbddf0292e3840a6febd4e50cc19ab02d96bdd1f8042ffa267ce1cd0c182d7eeac9f3883a632f829000edb0091a01295

Score
10/10
massloggercollectionspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.turkaykalibrasyon.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Cc_8A46

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
    "C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml"
        3⤵
        • Creates scheduled task(s)
        PID:776
    • C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe
      "C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:920
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b3b7c25b19f543b3aec9c5bdc7ee48ef52a95e491a6c41e1ff717e7723c4d64f.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3bc9d0e4991c4127854c846f1c363314.xml
    Filesize

    1KB

    MD5

    64c93af47c479be893f61afbc7472015

    SHA1

    400cd9cef7c8ab678063601c23c72453f1c10f16

    SHA256

    5bc83f04478cccb2c3bb4934f73efa55b8603924f671fcd647712c71f68bbc27

    SHA512

    500f5d3604859abdc602ad89fc4bf3cd4adfbce0c0d29714b17b473929d5b06cff67c4d44deed0166bc90a486d0c404f4e857073c4657efefaa2e431f8b64fe4

    Download Submit

  • memory/776-59-0x0000000000000000-mapping.dmp

    Download

  • memory/920-61-0x00000000042F0000-0x0000000004376000-memory.dmp

    Filesize

    536KB

    Download

  • memory/920-57-0x000000000040188B-mapping.dmp

    Download

  • memory/920-64-0x0000000004399000-0x00000000043AA000-memory.dmp

    Filesize

    68KB

    Download

  • memory/920-65-0x0000000005D80000-0x0000000005DBE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/920-66-0x0000000005E30000-0x0000000005EC0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1320-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1320-67-0x000000006E790000-0x000000006ED3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1320-68-0x00000000025F0000-0x000000000323A000-memory.dmp

    Filesize

    12.3MB

    Download

  • memory/1452-55-0x00000000009B0000-0x0000000000A4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1452-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1700-56-0x0000000000000000-mapping.dmp

    Download