Analysis
-
max time kernel
129s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:22
Static task
static1
Behavioral task
behavioral1
Sample
RFQ PC00056942.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ PC00056942.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
TECHNICAL SHEET.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
TECHNICAL SHEET.exe
Resource
win10v2004-20220414-en
General
-
Target
TECHNICAL SHEET.exe
-
Size
923KB
-
MD5
55126f1115a5e05fadd9d0f097273809
-
SHA1
f95d9e0be8191a2b3657584e5bcab782c1e36882
-
SHA256
d02c315a42a4a452a9e78011fbcce66f9f53bab788513d1b6f52e8fc70aa9f3c
-
SHA512
c2a8637b29326c90f1f8c828f7c762d9be203c1192a09f208b79c1d8627f82cd155bb5b5ac8a1ebc27338e7ff502d9f23c9b79a805e6b675afb7cd6f33585bab
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt
masslogger
Extracted
Protocol: smtp- Host:
mail.mkontakt.az - Port:
587 - Username:
[email protected] - Password:
Onyeoba111
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 32 IoCs
Processes:
resource yara_rule behavioral4/memory/4516-138-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-140-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-142-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-144-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-146-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-148-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-150-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-152-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-154-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-156-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-158-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-160-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-162-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-164-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-166-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-168-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-170-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-172-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-174-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-176-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-178-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-180-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-182-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-184-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-186-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-188-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-190-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-192-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-194-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-196-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-198-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral4/memory/4516-200-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TECHNICAL SHEET.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation TECHNICAL SHEET.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
Processes:
TECHNICAL SHEET.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook TECHNICAL SHEET.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook TECHNICAL SHEET.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TECHNICAL SHEET.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook TECHNICAL SHEET.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook TECHNICAL SHEET.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook TECHNICAL SHEET.exe Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 64 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TECHNICAL SHEET.exedescription pid process target process PID 1180 set thread context of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
TECHNICAL SHEET.exepid process 4516 TECHNICAL SHEET.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
TECHNICAL SHEET.exepid process 4516 TECHNICAL SHEET.exe 4516 TECHNICAL SHEET.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TECHNICAL SHEET.exedescription pid process Token: SeDebugPrivilege 4516 TECHNICAL SHEET.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TECHNICAL SHEET.exepid process 4516 TECHNICAL SHEET.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
TECHNICAL SHEET.exedescription pid process target process PID 1180 wrote to memory of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe PID 1180 wrote to memory of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe PID 1180 wrote to memory of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe PID 1180 wrote to memory of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe PID 1180 wrote to memory of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe PID 1180 wrote to memory of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe PID 1180 wrote to memory of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe PID 1180 wrote to memory of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe -
outlook_office_path 1 IoCs
Processes:
TECHNICAL SHEET.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe -
outlook_win_path 1 IoCs
Processes:
TECHNICAL SHEET.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TECHNICAL SHEET.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4516
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58783efc818e6c4b08cdd7dc7e06641d0
SHA1481a410d390aefdd28ff1bc005d1ee46e7b092f2
SHA256735a7e96c6b2d91b062f378d14291656b72c92d36b1a21584ce5b606b4ea8572
SHA5121d48c97192d9ca4deca93a2a62dc6230d2752b1710c95660b41e89413b9b022a0139570d946580968bd04cf48497a6dc31e25d4aca7f477525b346ab0a302d32