Overview

overview

10

Static

static

EO09844Y4Y4.exe

windows7_x64

10

EO09844Y4Y4.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EO09844Y4Y4.COM

  • Size

    1.2MB

  • Sample

    220613-llkqyabdh3

  • MD5

    10d01d4cd2c896a5573c90465dd6548f

  • SHA1

    365c81314ba3c23717734efaa78ec5844d37a9b2

  • SHA256

    30e4bf20932ff913f614d755aa681f3db76cbaf5c6ec08bd668459fab2bf9277

  • SHA512

    9b4b7dbfd8203353cf24f8ef73f1c0078b8a663a2282dc848b4fa1aeb3e3da7ee5f92b10617146627c729501e59237075cc5f8b791c43c556dac9939aa1c7cd3

Score
10/10
massloggercollectionevasionspywarestealer

Malware Config

Targets

    • Target

      EO09844Y4Y4.COM

    • Size

      1.2MB

    • MD5

      10d01d4cd2c896a5573c90465dd6548f

    • SHA1

      365c81314ba3c23717734efaa78ec5844d37a9b2

    • SHA256

      30e4bf20932ff913f614d755aa681f3db76cbaf5c6ec08bd668459fab2bf9277

    • SHA512

      9b4b7dbfd8203353cf24f8ef73f1c0078b8a663a2282dc848b4fa1aeb3e3da7ee5f92b10617146627c729501e59237075cc5f8b791c43c556dac9939aa1c7cd3

    Score
    10/10
    massloggercollectionevasionspywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks