Overview

overview

10

Static

static

10

PO_75462.exe

windows7_x64

10

PO_75462.exe

windows10-2004_x64

10

PO_75463.exe

windows7_x64

10

PO_75463.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3ecc0863d79785e8b6cb8bf003fcff6c41195e278aaed426ed26144b11d3710c

  • Size

    2.1MB

  • Sample

    220521-pxv8lagbd7

  • MD5

    e44b3f131a4d35aea1f0990816b944f0

  • SHA1

    6ee21f16b4c5422108166a05af9768e3317f8be8

  • SHA256

    3ecc0863d79785e8b6cb8bf003fcff6c41195e278aaed426ed26144b11d3710c

  • SHA512

    d5c6f470d90f7b68ed46103127a312ca93eed173ca6d1e2b4af0fc695fbdda01bcd09d00641d9a65076a070cd2bad442b33c327322e6e8cc3ce842d6ac296b19

Score
10/10
agentteslamassloggercollectionkeyloggerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:16:47 PM MassLogger Started: 5/21/2022 3:16:36 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO_75463.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    cruizjames@yandex.ru
  • Password:
    cruizjamesvhjkl@

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:16:38 PM MassLogger Started: 5/21/2022 3:16:35 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO_75463.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      PO_75462.EXE

    • Size

      768KB

    • MD5

      22dbfe74635797260671cd5dbbf0a3bc

    • SHA1

      8cbdde1a2319ee60c9f6a9e05d2879362ab44668

    • SHA256

      6a83f449fc1dd1f88e89ba47a29c8e3a12b04145ae4377cddc5ca5a93ead0c91

    • SHA512

      713fa04c7dbf9612bf69336d0cc3b56f433db712a516a6496160706135fad58e8a31cb2a54e893ecebb49b34bf7466b330d44f1e9446fde0af9cda3f118eb88e

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      PO_75463.EXE

    • Size

      821KB

    • MD5

      0e39e0f49e3f74b7fe492f2f9b4e0969

    • SHA1

      bc7fce8afc2a2d379e3e0714191dae859e3771a8

    • SHA256

      b8ac4a45dbd25ba8bb4f71d53bb8615f6d00b9be95b6e976567377957d92c428

    • SHA512

      a9b7539a91aa8593b5a15f2536069591e105ab75484a2bf3900aedbe9c2f6ab6bbed33ab000995f776471f51c86df17a17475c3997a000b854324d42eec4783c

    Score
    10/10
    massloggercollectionransomwarespywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks