Overview

overview

10

Static

static

2ef8b8f1b8...87.exe

windows7_x64

10

2ef8b8f1b8...87.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    71s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-04-2022 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ef8b8f1b850be0d46289894a31ef26216ffde8431b788cce2486ffdec969787.exe

  • Size

    1.3MB

  • MD5

    78322592ad925ca876a20c4e17d826a0

  • SHA1

    1a18ed4a7f29abf076f2e1554e10f7fc06a51104

  • SHA256

    2ef8b8f1b850be0d46289894a31ef26216ffde8431b788cce2486ffdec969787

  • SHA512

    55a1cd9e9ad14fbc0c299758e80a3556cd0f97229210900d0fb6c554ccac1186f13eb740ed4d00de2637fb8f615451099aeae1752d6c6b6ec5d4ff73fbf25877

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ef8b8f1b850be0d46289894a31ef26216ffde8431b788cce2486ffdec969787.exe
    "C:\Users\Admin\AppData\Local\Temp\2ef8b8f1b850be0d46289894a31ef26216ffde8431b788cce2486ffdec969787.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2ef8b8f1b850be0d46289894a31ef26216ffde8431b788cce2486ffdec969787.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1892

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1892-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1892-58-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1892-60-0x000000006F520000-0x000000006FACB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2028-54-0x0000000000C50000-0x0000000000DA0000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2028-55-0x00000000021A0000-0x0000000002206000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2028-56-0x00000000022E0000-0x0000000002366000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2028-59-0x00000000050C5000-0x00000000050D6000-memory.dmp

    Filesize

    68KB

    Download