Overview

overview

10

Static

static

AVISO, Tra...BC.exe

windows7_x64

10

AVISO, Tra...BC.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    106s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AVISO, Transferencia ICBC.exe

  • Size

    2.1MB

  • MD5

    c051a6a2518f457e2f98a5ae69b5e74b

  • SHA1

    d4025f3a5f9a5cd1486e4b593c740717eb974630

  • SHA256

    bb69c76bdb4fd7d1cba3cce7ccd70341ef077e7651a2d8542841c8e16125dd36

  • SHA512

    83b03a86840664ed266f66740ed26ce06500c96deac3e0ddd906176b64c9c667153abf54eac82e43a1dc5b7886e7d44bff630d012952c77959e261777e01629c

Score
10/10
massloggeragilenetcollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 7:12:49 AM MassLogger Started: 5/21/2022 7:12:31 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe As Administrator: True

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Dmacdavid

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe
    "C:\Users\Admin\AppData\Local\Temp\AVISO, Transferencia ICBC.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1360

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • memory/812-55-0x0000000000280000-0x0000000000294000-memory.dmp

    Filesize

    80KB

    Download

  • memory/812-56-0x00000000002C0000-0x00000000002C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/812-57-0x0000000000470000-0x0000000000478000-memory.dmp

    Filesize

    32KB

    Download

  • memory/812-58-0x0000000000480000-0x0000000000488000-memory.dmp

    Filesize

    32KB

    Download

  • memory/812-54-0x0000000001100000-0x0000000001324000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1360-83-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-95-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-66-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-67-0x00000000004A12AE-mapping.dmp

    Download

  • memory/1360-63-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-70-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-72-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-61-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-75-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-77-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-79-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-81-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-60-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-85-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-87-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-89-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-93-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-65-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-91-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-97-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-99-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-101-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-103-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-105-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-107-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-109-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-111-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-113-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-115-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-117-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-119-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-121-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-123-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-125-0x0000000000400000-0x0000000000546000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1360-579-0x0000000000960000-0x00000000009A4000-memory.dmp

    Filesize

    272KB

    Download