Overview

overview

10

Static

static

62ba72c8e5...cc.exe

windows7_x64

10

62ba72c8e5...cc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe

  • Size

    1.0MB

  • MD5

    a5f465e80c730365bef7d2016a06b4e8

  • SHA1

    47556b655932468d093df342fbf37049b7baf55c

  • SHA256

    62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc

  • SHA512

    cc487ffee2dcacb9e93ef81020725ae672d36e7b5599c1e7e751c1cb09cace941509410014fba3721cfa2a4801f1c02ac0f297cf96b26fea739d9b4f8f11166f

Score
10/10
massloggermetastealercollectionspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    jokerhacks891@gmail.com
  • Password:
    Fresh.2019$

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
    "C:\Users\Admin\AppData\Local\Temp\62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CHYEwkdoyxEGqz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B73.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4880
    • C:\Users\Admin\AppData\Local\Temp\62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
      "{path}"
      2⤵
        PID:1984
      • C:\Users\Admin\AppData\Local\Temp\62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:5072

    Network

    • flag-us
      DNS
      api.ipify.org
      62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN CNAME
      api.ipify.org.herokudns.com
      api.ipify.org.herokudns.com
      IN A
      3.220.57.224
      api.ipify.org.herokudns.com
      IN A
      3.232.242.170
      api.ipify.org.herokudns.com
      IN A
      54.91.59.199
      api.ipify.org.herokudns.com
      IN A
      52.20.78.240
    • flag-us
      GET
      http://api.ipify.org/
      62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
      Remote address:
      3.220.57.224:80
      Request
      GET / HTTP/1.1
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: Cowboy
      Connection: keep-alive
      Content-Type: text/plain
      Vary: Origin
      Date: Fri, 15 Apr 2022 12:43:04 GMT
      Content-Length: 12
      Via: 1.1 vegur
    • flag-us
      DNS
      smtp.gmail.com
      62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
      Remote address:
      8.8.8.8:53
      Request
      smtp.gmail.com
      IN A
      Response
      smtp.gmail.com
      IN A
      142.250.102.109
    • 52.168.117.170:443
      322 B
       7
    • 3.220.57.224:80
      http://api.ipify.org/
      http
      62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
      293 B
       356 B
       5
      4

      HTTP Request

      GET http://api.ipify.org/

      HTTP Response

      200
    • 142.250.102.109:587
      smtp.gmail.com
      smtp
      62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
      1.1kB
       6.2kB
       14
      17
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 8.8.8.8:53
      api.ipify.org
      dns
      62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
      59 B
       164 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      3.220.57.224
      3.232.242.170
      54.91.59.199
      52.20.78.240

    • 8.8.8.8:53
      smtp.gmail.com
      dns
      62ba72c8e528303083fadcd97e95c3115bf1982e6d1516472dfd0c9abbf8e0cc.exe
      60 B
       76 B
       1
      1

      DNS Request

      smtp.gmail.com

      DNS Response

      142.250.102.109

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3B73.tmp
      Filesize

      1KB

      MD5

      50f3be11172956f1f43631440193e9db

      SHA1

      44be2d7b434a9875388e71a299b6a79420cff8d6

      SHA256

      6422e9b259e22cc0ef6da1605954b5cace29e492636838e8889b30775ea58758

      SHA512

      5234d1f42e79fe2185cd6ca3e32a7a31ca08c14938eb84c583802522be11a34b28152a88180d85b2be9b23dd5ac35dd3d34dfda96aa699dc67fc238449ff91e4

      Download Submit

    • memory/1396-131-0x0000000007940000-0x0000000007EE4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1396-132-0x0000000007530000-0x00000000075C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1396-133-0x00000000074A0000-0x00000000074AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1396-134-0x000000000B1F0000-0x000000000B71C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1396-135-0x000000000B990000-0x000000000BA2C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1396-130-0x0000000000190000-0x0000000000296000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5072-140-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/5072-141-0x00000000068E0000-0x0000000006946000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5072-142-0x00000000055A3000-0x00000000055A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5072-143-0x00000000073D0000-0x0000000007420000-memory.dmp

      Filesize

      320KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.