Overview

overview

10

Static

static

PURCHASE.exe

windows7_x64

10

PURCHASE.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d9ba65273cd9e8f4f3c4dcf601c652d153fe3fc54a0dd1135389574945128dd5

  • Size

    2.2MB

  • Sample

    220521-cgf3hsdha5

  • MD5

    a7bf11fb5f2ea3296cefdba78eeac0f3

  • SHA1

    aac33b64c78f526a8848556669b4bae65a534a4a

  • SHA256

    d9ba65273cd9e8f4f3c4dcf601c652d153fe3fc54a0dd1135389574945128dd5

  • SHA512

    76e29ddbfad902ac7cab3249641a928ad61ce62ad1550ba95ff80d4ff7f9bf924ea27c6a511de1546d4fd39197fc4f507ceb2ddda3b4e11453146d49b3465aeb

Score
10/10
massloggercollectionrezer0spywarestealerupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.flockmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Fraudoo7

Targets

    • Target

      PURCHASE.EXE

    • Size

      1.7MB

    • MD5

      692a0e33a1f8159a91020ff78a91fd0f

    • SHA1

      e609fdef9d33611113fe311276d6584a0d3e221c

    • SHA256

      dbdbfa24b62d54b1624dac7d07bd939677342c820867b0d8993f0ab95af3d342

    • SHA512

      1bc350b7aee9c53d116ea2dc41e04dce24bae01b2a0a41fa56457d42a5164e76b7debdf6be9670f83a87b3922f85d4548ebbbcc655e03ed7a344a212135eeb72

    Score
    10/10
    massloggercollectionrezer0spywarestealerupx

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks