Overview

overview

10

Static

static

RFQ.exe

windows7_x64

10

RFQ.exe

windows10-2004_x64

5

Analysis

  • max time kernel
    90s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ.exe

  • Size

    842KB

  • MD5

    43bf47ce9c3b94e284d4b1127ae23316

  • SHA1

    ecd3faede2a34fee58c8b84e297abf217e9b4b4c

  • SHA256

    db18483e4256dc8f3362b52e3474260eeee4a7e7af43c8126200237e5a8804db

  • SHA512

    dfa81578090f56788c7b76bbca564a2c3cfb2e49c6ee83a92a46adc5a57a802950c18368ae1a4df68d4e0b6e3342b2c83d0ebb1b73b4edd93f347d309a891d72

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v2.0.0.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 6:12:46 AM MassLogger Started: 5/21/2022 6:12:35 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\RFQ.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\RFQ.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/592-64-0x0000000000489A0E-mapping.dmp

    Download

  • memory/592-66-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/592-72-0x00000000049D5000-0x00000000049E6000-memory.dmp

    Filesize

    68KB

    Download

  • memory/592-71-0x0000000000760000-0x0000000000774000-memory.dmp

    Filesize

    80KB

    Download

  • memory/592-70-0x00000000753E1000-0x00000000753E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/592-59-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/592-69-0x0000000000540000-0x0000000000584000-memory.dmp

    Filesize

    272KB

    Download

  • memory/592-61-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/592-58-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/592-63-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/592-62-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/592-68-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/1240-55-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1240-54-0x0000000000BA0000-0x0000000000C78000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1240-57-0x00000000055B0000-0x000000000563E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/1240-56-0x0000000004ED0000-0x0000000004F5A000-memory.dmp

    Filesize

    552KB

    Download