Overview

overview

10

Static

static

NB_Inquiry.exe

windows7_x64

10

NB_Inquiry.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    97b2ed57152af2f0c93d46664fe6340832b1dd8b53f5280e42c5787e00acbef7

  • Size

    1.3MB

  • Sample

    220521-b2t97schc5

  • MD5

    7300d1e5d8275b346470825027b9c942

  • SHA1

    5d184ad80685d356eb8bc5287968986b5b9ffd90

  • SHA256

    97b2ed57152af2f0c93d46664fe6340832b1dd8b53f5280e42c5787e00acbef7

  • SHA512

    6931799b112fb558a3e97b4a1a78f903d2a1849a6336c956dfa01915c9a72e42b75b5f1315c43da2a9b028e6434801bd7c392d18aa07e8b976897b7b89ebd9e3

Score
10/10
massloggeragilenetcollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:33:12 AM MassLogger Started: 5/21/2022 4:32:55 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe As Administrator: True

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Dmacdavid

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F293CD6622\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:33:15 AM MassLogger Started: 5/21/2022 4:32:48 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe As Administrator: True

Targets

    • Target

      NB_Inquiry.exe

    • Size

      2.7MB

    • MD5

      033f93ab38b8abcd2c5125ff04172e9c

    • SHA1

      030098b28e2099a2fc12f5dbe8b4ad4af92295a5

    • SHA256

      91ab9b169f8b0c05ab795c52b0e41f34374bb828c16176eda1f121c1dbc12731

    • SHA512

      47d90a7edcda87676986303da496cbe170e71a09c98cd6ef2b13ca52f63ea58795e4de3156f0f7c0a0a300adb2e6a2ac7a721c01a29d62ebce74bf3fe70d76b8

    Score
    10/10
    massloggeragilenetcollectionransomwarespywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks