Overview

overview

10

Static

static

PO.exe

windows7_x64

10

PO.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4a2998327c65c07148f057e65326099b17a27159243bc8851e8aef90d12ec860

  • Size

    1.4MB

  • Sample

    220521-plxmaafeh3

  • MD5

    426be796aa1c0419ffe1414f4776cfcc

  • SHA1

    77f702f87bd31ab32b9d4f8c9dbf41cbad292990

  • SHA256

    4a2998327c65c07148f057e65326099b17a27159243bc8851e8aef90d12ec860

  • SHA512

    5dffdc77cfe745de97b8bc53231a6c1b67fa1a9902775c0d5c9eb284a4d0dfea88dee080a8be2eaa5ffe0d24679867334a8c69cc38875788dca3f030eb55056d

Score
10/10
massloggercollectionrezer0spywarestealerupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.acproyectos.com
  • Port:
    587
  • Username:
    fallas@acproyectos.com
  • Password:
    Falfal207@

Targets

    • Target

      PO.exe

    • Size

      1.5MB

    • MD5

      f512638b09983b315c24199bffae80cc

    • SHA1

      f62de084522901915b43ce766bca6e3a0797cdf3

    • SHA256

      f937bbe27c6d52452a121bc9aa320c26ae7eada7cadc9dda0fafc2c6b1bd5818

    • SHA512

      a9566748c0c34168fafc88d2e3c1522fc7d1422266fa65b1beafbc82f45a88394d4ada16104b011e97f5e1396fa745d20bee185dc11447f4ad162e5c7ada48d8

    Score
    10/10
    massloggercollectionrezer0spywarestealerupx

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks