Overview

overview

10

Static

static

HOUSE_DO.exe

windows7_x64

3

HOUSE_DO.exe

windows10-2004_x64

10

HOUSE_PI.exe

windows7_x64

10

HOUSE_PI.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cb7a462223f02ca4a41ce7f48a6bb8c7ee0d36798c12b1559bcdabe25d57141f

  • Size

    2.7MB

  • Sample

    220521-ckmz8shafm

  • MD5

    a14cece52ea128b6275c15b17ee464e8

  • SHA1

    05bd2984c8c87085a7373eaceeb2c3622305898e

  • SHA256

    cb7a462223f02ca4a41ce7f48a6bb8c7ee0d36798c12b1559bcdabe25d57141f

  • SHA512

    26f34c4fa34184af86a73000694d60844c25909c9cdbdc44526554198622620217ffcd1df364dba973479dce6339c8100f9e9e0e976891cc91910fb0243fe032

Score
10/10
agentteslamassloggercollectionkeyloggerransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\19E979543A\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 5:12:34 AM MassLogger Started: 5/21/2022 5:12:16 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\HOUSE_DO.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    cruizjamesvhjkl@

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    cruizjamesvhjkl@

Targets

    • Target

      HOUSE_DO.EXE

    • Size

      1.3MB

    • MD5

      4dd93076bfc75f76a248882ac422a31a

    • SHA1

      53d904be35b2e8c7de03c20f6e54067046b2ce57

    • SHA256

      f66ba3c720e0df70977904953fb0f359eddcc621703aec51d1d3f16e099a2816

    • SHA512

      11e9f6b84cfd5403424c7da60011581fc591dbbf8d5f8ad02f0d1b920edfc3ed06dec27ba254a57bab3b036e65ab9af5713b3764447ce89cdaca328bfc9024b3

    Score
    10/10
    massloggercollectionransomwarespywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      HOUSE_PI.EXE

    • Size

      892KB

    • MD5

      5bdf485867aa3d87b494be177e7c98da

    • SHA1

      3201fd68704cfa89e9f32f807cb1cdf4bf39bc45

    • SHA256

      ba99ebdbb38769a5fce130e0a16cd0c2aa0380cfc4ec5dd257dcadcdcea69ee4

    • SHA512

      214e0b6a6d95243587e6df856095180d9d475536d2a01b52573f389a38d1659c94747a51cae51c7748e19d7455549efac0f3c4efcb82a51d09687b2273621f42

    Score
    10/10
    agentteslakeyloggerspywarestealertrojancollection

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks