Analysis
-
max time kernel
62s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 14:24
General
-
Target
QUOTE PRICES IN USD.exe
-
Size
864KB
-
MD5
1120a77cf247c7280324fbe983c116b9
-
SHA1
b983296cee73f1cbb8280ba019f4970d2bf23e02
-
SHA256
02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3
-
SHA512
fce768723f21ba1334b4867c260a8f7c49fb3879d586eca3747aa2ef76aaa7607a2ed7ff630318056e1f0378caaa255135eb114569963e4ebad4a7fa0d9e0544
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\3B8E3C2477\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/20/2022 5:32:38 PM
MassLogger Started: 5/20/2022 5:32:26 PM
Interval: 2 hour
MassLogger Process: C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
NA
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 6 IoCs
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICES IN USD.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/664-54-0x0000000000060000-0x000000000013E000-memory.dmpFilesize
888KB
-
memory/664-55-0x0000000004B80000-0x0000000004C5A000-memory.dmpFilesize
872KB
-
memory/664-56-0x0000000075FC1000-0x0000000075FC3000-memory.dmpFilesize
8KB
-
memory/664-57-0x00000000005E0000-0x00000000005F0000-memory.dmpFilesize
64KB
-
memory/664-58-0x0000000001EE0000-0x0000000001EF2000-memory.dmpFilesize
72KB
-
memory/1768-59-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-60-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-62-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-63-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-64-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-65-0x00000000004B2BDE-mapping.dmp
-
memory/1768-67-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-69-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1768-70-0x0000000004330000-0x00000000043A8000-memory.dmpFilesize
480KB
-
memory/1768-72-0x0000000004485000-0x0000000004496000-memory.dmpFilesize
68KB