Overview

overview

10

Static

static

ORDER202.exe

windows7_x64

10

ORDER202.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b

  • Size

    1.5MB

  • Sample

    220521-dyfzhsbecm

  • MD5

    013f3bddb8467d83ee326f607729c1a6

  • SHA1

    c3248d2420c64447055a35711249b64a774f389a

  • SHA256

    198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b

  • SHA512

    3da3b34bab838fe1458247c719fc3f0951a82f7912f2aa55a829d8adba7f4047f606d32414dce41254802a266bb14b74966b6db60a9e78cb9a0928101e756997

Score
10/10
massloggercollectioncoreentityevasionrezer0spywarestealer

Malware Config

Targets

    • Target

      ORDER202.EXE

    • Size

      941KB

    • MD5

      0a3d357409cb2337a4d533b64b8265cd

    • SHA1

      33cd12b0333af20dcb611b1f42d6a62f8167e90b

    • SHA256

      5f678c283847316bd366cc6a5dcd2b20072271080f493607a03ecd5d26ba65a7

    • SHA512

      8b2f1ad1c8260e2afabf8290d680ee29249fe2edb79d7740b039729f9cc5bbd3231836ac249a206488cb375efe9c3f5979b9b1b7e30e56b19c5692365b67fb64

    Score
    10/10
    massloggercollectioncoreentityevasionrezer0spywarestealer

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Modifies visibility of file extensions in Explorer

      evasion

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Hidden Files and Directories

1
T1158

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks