Overview

overview

10

Static

static

08be694ed1...88.exe

windows7_x64

10

08be694ed1...88.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    68s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08be694ed1a49b278928554b26a070ecc27d9af84930a8c5386e89adeeeef388.exe

  • Size

    1.2MB

  • MD5

    5e2fb646f9d2b0a82e9b08cd06fc5963

  • SHA1

    06cda86331a278d8676072508e09689bd643caad

  • SHA256

    08be694ed1a49b278928554b26a070ecc27d9af84930a8c5386e89adeeeef388

  • SHA512

    44e18afe6e29521dfa7369e1efbce8c720d46b9f5a0c42470abc05060e358e52e7029e7496f4e4d18ee9e8075d0f0c12fb4a4286924896627ffe87a57adc2daf

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08be694ed1a49b278928554b26a070ecc27d9af84930a8c5386e89adeeeef388.exe
    "C:\Users\Admin\AppData\Local\Temp\08be694ed1a49b278928554b26a070ecc27d9af84930a8c5386e89adeeeef388.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1992
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\08be694ed1a49b278928554b26a070ecc27d9af84930a8c5386e89adeeeef388.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1420

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1420-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1420-61-0x00000000768D1000-0x00000000768D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1420-62-0x000000006F200000-0x000000006F7AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1992-54-0x0000000000E90000-0x0000000000FCA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1992-55-0x00000000008D0000-0x00000000008E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1992-56-0x0000000005740000-0x0000000005814000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1992-57-0x0000000007CC0000-0x0000000007D94000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1992-58-0x00000000047A0000-0x0000000004826000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1992-60-0x0000000004855000-0x0000000004866000-memory.dmp

    Filesize

    68KB

    Download