Overview

overview

10

Static

static

b78442ab20...4e.exe

windows7_x64

10

b78442ab20...4e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    87s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20/04/2022, 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe

  • Size

    1.0MB

  • MD5

    8802b4bf7ac58aacf4e9c21e90b79df7

  • SHA1

    d60038c985976958202eaa6326e222e418865863

  • SHA256

    b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

  • SHA512

    89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

Score
10/10
massloggerevasionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 7 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
    "C:\Users\Admin\AppData\Local\Temp\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Local\Temp\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
      "C:\Users\Admin\AppData\Local\Temp\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn hostlasco.exe /tr '"C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn hostlasco.exe /tr '"C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1336
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2DA6.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:812
        • C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
          "C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe"
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Loads dropped DLL
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
            "C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe"
            5⤵
            • Executes dropped EXE
            PID:612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
    Filesize

    1.0MB

    MD5

    8802b4bf7ac58aacf4e9c21e90b79df7

    SHA1

    d60038c985976958202eaa6326e222e418865863

    SHA256

    b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

    SHA512

    89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
    Filesize

    1.0MB

    MD5

    8802b4bf7ac58aacf4e9c21e90b79df7

    SHA1

    d60038c985976958202eaa6326e222e418865863

    SHA256

    b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

    SHA512

    89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
    Filesize

    1.0MB

    MD5

    8802b4bf7ac58aacf4e9c21e90b79df7

    SHA1

    d60038c985976958202eaa6326e222e418865863

    SHA256

    b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

    SHA512

    89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp2DA6.tmp.bat
    Filesize

    165B

    MD5

    6dbf4bc7d62b366de234ed64ae8ffdcf

    SHA1

    d0e0c2b43b0d473e5e53bc2ee875a0274f13fb5f

    SHA256

    954e56d79a239e954a473c4cdfd642053ef433508f688a95b8a1b1f34e49cf04

    SHA512

    061f4f4853a16c0a9322a7ee83988feea92a2f76fef69ea11d19d680e48f03033f24094ad6f5d8dc3e230891d09743a4c12782f2cc2bd0b48a3eb8856ae36903

    Download Submit

  • \Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
    Filesize

    1.0MB

    MD5

    8802b4bf7ac58aacf4e9c21e90b79df7

    SHA1

    d60038c985976958202eaa6326e222e418865863

    SHA256

    b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

    SHA512

    89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

    Download Submit

  • \Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
    Filesize

    1.0MB

    MD5

    8802b4bf7ac58aacf4e9c21e90b79df7

    SHA1

    d60038c985976958202eaa6326e222e418865863

    SHA256

    b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

    SHA512

    89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

    Download Submit

  • memory/1008-57-0x0000000006F00000-0x0000000006F88000-memory.dmp

    Filesize

    544KB

    Download

  • memory/1008-54-0x0000000000E50000-0x0000000000F62000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1008-56-0x0000000007C70000-0x0000000007D30000-memory.dmp

    Filesize

    768KB

    Download

  • memory/1008-55-0x00000000002E0000-0x00000000002F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1788-61-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1788-69-0x0000000004695000-0x00000000046A6000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1788-68-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1788-66-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1788-63-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1788-62-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1788-59-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1788-58-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1996-79-0x0000000001300000-0x0000000001412000-memory.dmp

    Filesize

    1.1MB

    Download