masslogger | 70b7e90d998239e628bb364f5d9d625d53a82318103b3da59810af74681f277c

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent request for Quotation.exe
Size

3.3MB
MD5

62a7d430071026ab9826285d60354082
SHA1

fc028f6a25a1acd1f0741669bd257fa65aa87cdb
SHA256

d149c44a5c8f9d0589498409795b1e37bc9caf8bd3a41b50b0ab97a80ba096b7
SHA512

8611907c264600b72d2f517b396006d99869be932e3303af4aaa45e3e580348bbc6778baadfea2f3729dd0d5690a74988f5bac840f1f502b1cb801a6c8ab7f88

Score

10^/10

masslogger collection spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
webmail.argo.com.br
Port:
587
Username:
[email protected]
Password:
argo2019xa

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll	upx

Drops startup file 1 IoCs

Processes:

Urgent request for Quotation.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Taskmgr.url	Urgent request for Quotation.exe

Loads dropped DLL 1 IoCs

Processes:

MSBuild.exe

pid process

1640 MSBuild.exe

pid	process
1640	MSBuild.exe

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Urgent request for Quotation.exe

description pid process target process

PID 892 set thread context of 1640 892 Urgent request for Quotation.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

1640 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1640 MSBuild.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Urgent request for Quotation.exe

pid process

892 Urgent request for Quotation.exe
892 Urgent request for Quotation.exe
892 Urgent request for Quotation.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Urgent request for Quotation.exe

pid process

892 Urgent request for Quotation.exe
892 Urgent request for Quotation.exe
892 Urgent request for Quotation.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 892 set thread context of 1640	892	Urgent request for Quotation.exe	MSBuild.exe

pid	process
1640	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1640	MSBuild.exe

pid	process
892	Urgent request for Quotation.exe
892	Urgent request for Quotation.exe
892	Urgent request for Quotation.exe

pid	process
892	Urgent request for Quotation.exe
892	Urgent request for Quotation.exe
892	Urgent request for Quotation.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Urgent request for Quotation.exe

description	pid	process	target process
PID 892 wrote to memory of 1640	892	Urgent request for Quotation.exe	MSBuild.exe
PID 892 wrote to memory of 1640	892	Urgent request for Quotation.exe	MSBuild.exe
PID 892 wrote to memory of 1640	892	Urgent request for Quotation.exe	MSBuild.exe
PID 892 wrote to memory of 1640	892	Urgent request for Quotation.exe	MSBuild.exe
PID 892 wrote to memory of 1640	892	Urgent request for Quotation.exe	MSBuild.exe
PID 892 wrote to memory of 1640	892	Urgent request for Quotation.exe	MSBuild.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\Urgent request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent request for Quotation.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll

Filesize
594KB

MD5
e81aeac387c5db32b7f9b07d15e788e0

SHA1
829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3

SHA256
44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06

SHA512
cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

Download Submit
memory/892-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/892-59-0x0000000002E10000-0x00000000030C2000-memory.dmp

Filesize
2.7MB

Download
memory/892-62-0x0000000004950000-0x0000000004C02000-memory.dmp

Filesize
2.7MB

Download
memory/1640-55-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-57-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-64-0x0000000000559FDE-mapping.dmp

Download
memory/1640-65-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-66-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-67-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-68-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-69-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-70-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-71-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-74-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-73-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-76-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-75-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-72-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-77-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-78-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-79-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-80-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-81-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-82-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-83-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-84-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-85-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-86-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-87-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-88-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-89-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-90-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-91-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-92-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-93-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-94-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-96-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-95-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-97-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-98-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-99-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-100-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-101-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-102-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-103-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-104-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-105-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-106-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-108-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-109-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-110-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-111-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-107-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-112-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-113-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-114-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-115-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-116-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-117-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-119-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-120-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-118-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1640-348-0x0000000000740000-0x0000000000784000-memory.dmp

Filesize
272KB

Download
memory/1640-349-0x0000000004DF0000-0x0000000004E80000-memory.dmp

Filesize
576KB

Download
memory/1640-350-0x00000000053A0000-0x0000000005400000-memory.dmp

Filesize
384KB

Download