masslogger | 2fe76f953de7338f202e10237e3a43639663429dde38d3a69c1c577ccdc61d2a

General

Target

New Order.exe
Size

852KB
MD5

61763eb6479d4859723720ef50e910b7
SHA1

17b75ac6c43a1f3953ee3f0eaab4c3f7b47fddb5
SHA256

5c3dc2f467e51b4a48a9bf1f068fe562b5d9687780da0fdb35c8f5836df0a550
SHA512

d397197e7dd81bc7b341c018b1edc723dcb18eab899b536e4a3e8621ee8e01e593b23c2cdbd533ea61f5c5e1ab68688da756423fd7713f4665906341dc68a0eb
SSDEEP

12288:AC7EMuLtRjRJN4+KzCqamEmZTu1saAlnbGZixL+1zvpYAzqwiZRislPKiabMKjQS:ACHu32+KgPmtuenbGeoNPH4D7ak2b

Score

10^/10

masslogger zgrat collection evasion rat rezer0 spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3108-12-0x0000000005880000-0x0000000005928000-memory.dmp	family_zgrat_v1

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3108-12-0x0000000005880000-0x0000000005928000-memory.dmp	family_masslogger

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

New Order.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	New Order.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/3108-7-0x0000000005420000-0x00000000054D0000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Order.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	New Order.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

Processes:

New Order.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	New Order.exe
Key queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	New Order.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	New Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	New Order.exe
Key queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	New Order.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	New Order.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2796 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

New Order.exe

pid process

3108 New Order.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

New Order.exe

pid process

3108 New Order.exe
3108 New Order.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New Order.exe

description pid process

Token: SeDebugPrivilege 3108 New Order.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

New Order.exe

pid process

3108 New Order.exe

flow	ioc
36	api.ipify.org

pid	process
2796	schtasks.exe

pid	process
3108	New Order.exe

pid	process
3108	New Order.exe
3108	New Order.exe

description	pid	process
Token: SeDebugPrivilege	3108	New Order.exe

pid	process
3108	New Order.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 3108 wrote to memory of 2796	3108	New Order.exe	schtasks.exe
PID 3108 wrote to memory of 2796	3108	New Order.exe	schtasks.exe
PID 3108 wrote to memory of 2796	3108	New Order.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

New Order.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe

outlook_win_path 1 IoCs

Processes:

New Order.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JJKEGDkeIy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp"
2⤵
- Creates scheduled task(s)
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB824.tmp
Filesize
1KB

MD5
84302ac3594b9c8c66704befa408b7ac

SHA1
cd99ae8f43bc7e8526a2467683bc2e2c3e903c3f

SHA256
54c27f3e4d259aeb5af523c5836d8763ffb07670568aacaecf0fbd98ff76700a

SHA512
49f7f2f22a021bb01ede73921a4213d64fe14da8a6bc99af11c4371ad44d3083bb254ff848e6e306145923d6ecd319a7f9fa51e387da36439cc22f297c52ea5e

Download Submit
memory/3108-8-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/3108-3-0x0000000004D40000-0x0000000004D56000-memory.dmp

Filesize
88KB

Download
memory/3108-12-0x0000000005880000-0x0000000005928000-memory.dmp

Filesize
672KB

Download
memory/3108-13-0x0000000005960000-0x00000000059A4000-memory.dmp

Filesize
272KB

Download
memory/3108-5-0x00000000750BE000-0x00000000750BF000-memory.dmp

Filesize
4KB

Download
memory/3108-6-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/3108-7-0x0000000005420000-0x00000000054D0000-memory.dmp

Filesize
704KB

Download
memory/3108-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

Filesize
4KB

Download
memory/3108-39-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/3108-2-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download
memory/3108-4-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/3108-14-0x00000000069C0000-0x0000000006A26000-memory.dmp

Filesize
408KB

Download
memory/3108-15-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/3108-22-0x0000000007310000-0x000000000731A000-memory.dmp

Filesize
40KB

Download
memory/3108-23-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/3108-27-0x0000000008630000-0x0000000008680000-memory.dmp

Filesize
320KB

Download
memory/3108-38-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/3108-1-0x0000000000310000-0x00000000003EC000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads