Overview

overview

10

Static

static

Havayolu f...r?.exe

windows7_x64

3

Havayolu f...r?.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a26430545b27b2b2a7a6aa6203d38a60344bd59740acaa1a6cec3c87eb276237

  • Size

    945KB

  • Sample

    220521-nek48sdeg9

  • MD5

    43c42ee54538023f7153a3c7d41e1af3

  • SHA1

    1a0a7952cac2ff0fae1908bf99756825a43e6dba

  • SHA256

    a26430545b27b2b2a7a6aa6203d38a60344bd59740acaa1a6cec3c87eb276237

  • SHA512

    e7106051ca32684d966a36dd8bc9b96a36263920e0cde6acc237ce5bda780383f6ed7882ef41b24317e92fc9b2d5ba6bedcce048c58c07d9f87fac843317bf9b

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\F95B724EDE\Log.txt

Family

masslogger

Ransom Note
<|| v2.4.0.0 ||> User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:43:49 PM MassLogger Started: 5/21/2022 1:43:18 PM Interval: 3 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Window Searcher ||> Disabled <|| Downloader ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Targets

    • Target

      Havayolu fatura ayr?nt?lar?.exe

    • Size

      1.1MB

    • MD5

      f59c38a6f1f351372576f5c539f4d2c5

    • SHA1

      21dff1b234b063f7110e6356a9f563605bf0e073

    • SHA256

      97f80d8f84f58704f90dee2f317ecc5807f5d250ebde54ff90426ad05ee9db95

    • SHA512

      4df0b1061bf16b3be0051f52c1727c884d277e012ce2c2d3b03ad8f80125ab6de6c98b4be40ce00bf70b3d4a3399fd7acfd9262c1d1deed3351d391d8617066d

    Score
    10/10
    massloggercollectionransomwarespywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks