Analysis
-
max time kernel
44s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:34
Static task
static1
Behavioral task
behavioral1
Sample
Bank Account Details.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Bank Account Details.exe
Resource
win10v2004-20220414-en
General
-
Target
Bank Account Details.exe
-
Size
703KB
-
MD5
c43a7628f89146f64b7465f23405c044
-
SHA1
09db7a9f63f0cea8fa6c3474e38d94212640cf97
-
SHA256
aa2909aa6100453e8a83116a0c51a3ff2a1556063587c0ded38f45dbfa748d28
-
SHA512
6a0975c5639ecf5ccab23ea1b8fb3eca82ac1f1fd7cd0bf650af0ff9e8fadaf08501c912032fc3a6a13dfe0df0b42a993d0a661c8ecc489391106c6d094b1f04
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt
masslogger
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
daxwfolpiyesmfhd
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bank Account Details.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation Bank Account Details.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
Processes:
Bank Account Details.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Bank Account Details.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Bank Account Details.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Bank Account Details.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Bank Account Details.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Bank Account Details.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Bank Account Details.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank Account Details.exedescription pid process target process PID 1488 set thread context of 1896 1488 Bank Account Details.exe Bank Account Details.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Bank Account Details.exepid process 1896 Bank Account Details.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Bank Account Details.exepid process 1896 Bank Account Details.exe 1896 Bank Account Details.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Bank Account Details.exedescription pid process Token: SeDebugPrivilege 1896 Bank Account Details.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Bank Account Details.exepid process 1896 Bank Account Details.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Bank Account Details.exedescription pid process target process PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe PID 1488 wrote to memory of 1896 1488 Bank Account Details.exe Bank Account Details.exe -
outlook_office_path 1 IoCs
Processes:
Bank Account Details.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe -
outlook_win_path 1 IoCs
Processes:
Bank Account Details.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Bank Account Details.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe"C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe"C:\Users\Admin\AppData\Local\Temp\Bank Account Details.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-54-0x0000000000C40000-0x0000000000CF4000-memory.dmpFilesize
720KB
-
memory/1488-55-0x0000000000550000-0x00000000005CA000-memory.dmpFilesize
488KB
-
memory/1488-56-0x0000000000B30000-0x0000000000BBE000-memory.dmpFilesize
568KB
-
memory/1896-57-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1896-58-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1896-60-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1896-61-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1896-62-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1896-63-0x000000000048929E-mapping.dmp
-
memory/1896-65-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1896-67-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/1896-68-0x0000000000530000-0x0000000000574000-memory.dmpFilesize
272KB
-
memory/1896-69-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/1896-70-0x0000000000860000-0x0000000000874000-memory.dmpFilesize
80KB
-
memory/1896-71-0x0000000004995000-0x00000000049A6000-memory.dmpFilesize
68KB