Overview

overview

10

Static

static

Purchase O...83.exe

windows7_x64

10

Purchase O...83.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06b1441efdb02e5d77466c0b6ee669b6f2ad9ba0d89f26ad04daf6acd10bd3db

  • Size

    781KB

  • Sample

    220521-b2ngnachb6

  • MD5

    ad788b821e85f0f78608ff87f5a2a747

  • SHA1

    b4e930fb762e08498be963f66c6d024361ce2552

  • SHA256

    06b1441efdb02e5d77466c0b6ee669b6f2ad9ba0d89f26ad04daf6acd10bd3db

  • SHA512

    80bc3ce41ab408951794c5ca1736aca27ca172e967483e651d95759b6a32cf1e5a5cfcde5420364adb6642bc259fd6b45d8e0b6c507b6b7a84364952292107fc

Score
10/10
massloggercollectioncoreentityrezer0spywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    uz@cairoways.me
  • Password:
    09012345@

Targets

    • Target

      Purchase Order#0398483.exe

    • Size

      864KB

    • MD5

      53e410760c9f2f2c4a1144fc34eb455a

    • SHA1

      d07649c8605753cb60ec997c04400db2ce570aad

    • SHA256

      40eac0b9c7fb03c9f4a54a82b47534babfdcc931b5d83832f1ae2facd9fe0cc3

    • SHA512

      3dab903d8c4883d515adcb2e6cc3a63b520e1a8258ba6e345e613a029975e40d6facbddafc7754971df2176f56275e15d60bb0226ab24e0c9a695b99195f36ca

    Score
    10/10
    massloggercollectioncoreentityrezer0spywarestealer

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks