Overview

overview

10

Static

static

Bank Accou...ls.exe

windows7_x64

10

Bank Accou...ls.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    44s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank Account Details.exe

  • Size

    703KB

  • MD5

    c43a7628f89146f64b7465f23405c044

  • SHA1

    09db7a9f63f0cea8fa6c3474e38d94212640cf97

  • SHA256

    aa2909aa6100453e8a83116a0c51a3ff2a1556063587c0ded38f45dbfa748d28

  • SHA512

    6a0975c5639ecf5ccab23ea1b8fb3eca82ac1f1fd7cd0bf650af0ff9e8fadaf08501c912032fc3a6a13dfe0df0b42a993d0a661c8ecc489391106c6d094b1f04

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v2.0.0.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:51:07 AM MassLogger Started: 5/21/2022 12:50:56 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    daxwfolpiyesmfhd

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe
    "C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe
      "C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1488-54-0x0000000000C40000-0x0000000000CF4000-memory.dmp
    Filesize

    720KB

    Download
  • memory/1488-55-0x0000000000550000-0x00000000005CA000-memory.dmp
    Filesize

    488KB

    Download
  • memory/1488-56-0x0000000000B30000-0x0000000000BBE000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-57-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-58-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-60-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-61-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-62-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-63-0x000000000048929E-mapping.dmp
    Download
  • memory/1896-65-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-67-0x0000000000400000-0x000000000048E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-68-0x0000000000530000-0x0000000000574000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1896-69-0x0000000075271000-0x0000000075273000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1896-70-0x0000000000860000-0x0000000000874000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1896-71-0x0000000004995000-0x00000000049A6000-memory.dmp
    Filesize

    68KB

    Download