Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
26-05-2024 22:36
General
-
Target
PO28466311.exe
-
Size
1.2MB
-
MD5
052f8ea1a01cb3a6b7df01bfd3868601
-
SHA1
2f75dafd4572c02109d275268534f4935babbe4e
-
SHA256
2c7ac0a31c8828ec11ad0c9dd80f8809fb1248f5c36b6b34d8c9974aa8ecaa06
-
SHA512
f082bdc3eaa1e0383c274aadb03e6c01e0591020cb4107cd072c80fe24e76afafddc4a535a676269efc2c4d3808d7d09faded812211a8e214dec064c02fefe29
-
SSDEEP
12288:oS1QbvgWK5WpLzkQgEuWjzikA1SNuD4cFwJEV6Q576QpVu6kxuCj9Rm:hQbvxaWuQgEfzi1DdFwGBdpUxuCjHm
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 33 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO28466311.exe"C:\Users\Admin\AppData\Local\Temp\PO28466311.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO28466311.exe"C:\Users\Admin\AppData\Local\Temp\PO28466311.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
6.9MB
-
Filesize
1.2MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
6.9MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
160KB
-
Filesize
132KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
768KB
-
Filesize
6.9MB
-
Filesize
480KB
-
Filesize
6.9MB
-
Filesize
80KB
-
Filesize
6.9MB