Analysis
-
max time kernel
87s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-04-2022 04:06
General
-
Target
Inquriy List Ref.exe
-
Size
897KB
-
MD5
c0989fcd6a3bb3c463d4e6cf10bc2b78
-
SHA1
26a804e261e9e5741858ebc475692d2c17a4ad42
-
SHA256
18536d644a7be6098da4f895bac325297f0a4c08252f6b98f9cab510f004e8ce
-
SHA512
9fbde9b86f9c9ba0ddd1ee227350294f69904a39a614b1d9ce810394771de8ad06f3033ace86059fe2fc8d42ef2d56e0c045760709a5bc80dea2dcdb9150f173
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquriy List Ref.exe"C:\Users\Admin\AppData\Local\Temp\Inquriy List Ref.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inquriy List Ref.exe"C:\Users\Admin\AppData\Local\Temp\Inquriy List Ref.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Inquriy List Ref.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
920KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
32KB
-
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
56KB
-
Filesize
6.2MB
-
Filesize
600KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
8KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
536KB
-
-
Filesize
8KB
-
Filesize
320KB
-
Filesize
408KB