Overview

overview

10

Static

static

b55cc68932...ed.exe

windows7_x64

10

b55cc68932...ed.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe

  • Size

    1.4MB

  • MD5

    ca7957bbdbd7829ab15c624367f3b82f

  • SHA1

    de862cb3c487d36ab954bbd2d7cce9bb217c8b09

  • SHA256

    b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed

  • SHA512

    f9ab5a37f57d751b84ebb362fe2431bad8dd1b68cdeb221aa9856a77c02dbff0f55c6783a6438356b09960bee0aa3b4cedf866910a65e6a19d21bb0bb278725a

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe
    "C:\Users\Admin\AppData\Local\Temp\b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe
      "C:\Users\Admin\AppData\Local\Temp\b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe"
      2⤵
        PID:4552
      • C:\Users\Admin\AppData\Local\Temp\b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe
        "C:\Users\Admin\AppData\Local\Temp\b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe"
        2⤵
          PID:2832
        • C:\Users\Admin\AppData\Local\Temp\b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe
          "C:\Users\Admin\AppData\Local\Temp\b55cc68932bd36e0d0da05c5c40afd2416e6a505822584667780b48e469f22ed.exe"
          2⤵
          • Checks computer location settings
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:4204

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2832-137-0x0000000000000000-mapping.dmp

        Download

      • memory/4204-142-0x00000000051A3000-0x00000000051A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4204-141-0x0000000006D10000-0x0000000006D60000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4204-140-0x0000000006390000-0x00000000063F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4204-139-0x0000000000400000-0x0000000000486000-memory.dmp

        Filesize

        536KB

        Download

      • memory/4204-138-0x0000000000000000-mapping.dmp

        Download

      • memory/4552-136-0x0000000000000000-mapping.dmp

        Download

      • memory/4984-130-0x0000000000BA0000-0x0000000000D16000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4984-135-0x000000000B240000-0x000000000B296000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4984-134-0x00000000058D0000-0x00000000058DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4984-133-0x000000000B0B0000-0x000000000B142000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4984-132-0x000000000B660000-0x000000000BC04000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4984-131-0x000000000B010000-0x000000000B0AC000-memory.dmp

        Filesize

        624KB

        Download