Overview

overview

10

Static

static

7c2e49a372...fe.exe

windows7_x64

1

7c2e49a372...fe.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    188s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-05-2022 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c2e49a372774be85d91e19ed6c8481879cdfe203ca8b54bb22bcd209bcee5fe.exe

  • Size

    502KB

  • MD5

    16bc4c027c2c181559dc8ae64a0d5c9e

  • SHA1

    f9714d8565402a7462c332b596218ace4a515ddf

  • SHA256

    7c2e49a372774be85d91e19ed6c8481879cdfe203ca8b54bb22bcd209bcee5fe

  • SHA512

    b60478750b1183637b782224f6a646f491f1481146dec90510125e94226634353107fb3527d00a8a45a12b84c27c1ad1cb600aadc209e6972b69b6ae35b286d7

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c2e49a372774be85d91e19ed6c8481879cdfe203ca8b54bb22bcd209bcee5fe.exe
    "C:\Users\Admin\AppData\Local\Temp\7c2e49a372774be85d91e19ed6c8481879cdfe203ca8b54bb22bcd209bcee5fe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Users\Admin\AppData\Local\Temp\7c2e49a372774be85d91e19ed6c8481879cdfe203ca8b54bb22bcd209bcee5fe.exe
      "C:\Users\Admin\AppData\Local\Temp\7c2e49a372774be85d91e19ed6c8481879cdfe203ca8b54bb22bcd209bcee5fe.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7c2e49a372774be85d91e19ed6c8481879cdfe203ca8b54bb22bcd209bcee5fe.exe.log
    Filesize

    1KB

    MD5

    7ebe314bf617dc3e48b995a6c352740c

    SHA1

    538f643b7b30f9231a3035c448607f767527a870

    SHA256

    48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

    SHA512

    0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

    Download Submit

  • memory/2944-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2944-135-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2944-137-0x0000000005F40000-0x0000000005FA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5012-130-0x00000000005D0000-0x000000000064E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/5012-131-0x000000000AB10000-0x000000000B0B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5012-132-0x000000000A760000-0x000000000A7F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5012-133-0x000000000A810000-0x000000000A81A000-memory.dmp

    Filesize

    40KB

    Download