Overview

overview

10

Static

static

RFQ PC00056942.exe

windows7_x64

10

RFQ PC00056942.exe

windows10-2004_x64

10

TECHNICAL SHEET.exe

windows7_x64

10

TECHNICAL SHEET.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    99d4d18e906e44d3b08aede8237928a7a6866378516bd07695f2bca4fc8a954f

  • Size

    1.0MB

  • Sample

    220521-bq8nfsfdar

  • MD5

    86105e7e57650439248e8ac3c1e8ffac

  • SHA1

    647ce597bc8e8924e2dace60101323d8859d704e

  • SHA256

    99d4d18e906e44d3b08aede8237928a7a6866378516bd07695f2bca4fc8a954f

  • SHA512

    1844b5783cde603219e7e1fe8298a3cfbf5d5c376ec2f84c15f782633ded8dac51fba96c711b0dde70635a859bb7afc946d851c62ae8057636fde08229b7bcc1

Score
10/10
azorultmassloggercollectioninfostealerransomwarespywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://217.160.254.33/index.php

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:03:03 AM MassLogger Started: 5/21/2022 4:02:44 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.mkontakt.az
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Onyeoba111

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:02:39 AM MassLogger Started: 5/21/2022 4:02:08 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:

Targets

    • Target

      RFQ PC00056942.exe

    • Size

      285KB

    • MD5

      49226c62012170c00a4cccae8d61c363

    • SHA1

      aa1af05c892e18e611f153263bd5582536243de6

    • SHA256

      b7867882baba4d27ac04f4b537b20a90166c5d3c82247f84ed338cf7cafba649

    • SHA512

      6a56506a92148ada8a9e0562fc6bc18c594cd4047108e9921d8d15ef5499b9628674b54ef37ed32a9c345c9c4ab43b4f983bd4ca77320da374991ef41f518da7

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      TECHNICAL SHEET.exe

    • Size

      923KB

    • MD5

      55126f1115a5e05fadd9d0f097273809

    • SHA1

      f95d9e0be8191a2b3657584e5bcab782c1e36882

    • SHA256

      d02c315a42a4a452a9e78011fbcce66f9f53bab788513d1b6f52e8fc70aa9f3c

    • SHA512

      c2a8637b29326c90f1f8c828f7c762d9be203c1192a09f208b79c1d8627f82cd155bb5b5ac8a1ebc27338e7ff502d9f23c9b79a805e6b675afb7cd6f33585bab

    Score
    10/10
    massloggercollectionransomwarespywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks