Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
25/03/2025, 10:11 UTC
General
-
Target
2487b12f52b803f5d38b3bb9388b039bf4f58c4b5d192d50da5fa047e9db828b.exe
-
Size
514KB
-
MD5
9c73b0f2a593fb39f3c0c80bc2851fbb
-
SHA1
f2678fbd372b1d29870efb306da0169d3a6613c2
-
SHA256
2487b12f52b803f5d38b3bb9388b039bf4f58c4b5d192d50da5fa047e9db828b
-
SHA512
64c3b1e9e3ea08da7bbe073f98b5d78d7a705decce1773dc9468891730e7db5fc999400ae665671a83451ef3d2489a37d0903303313a7847d4d69c85a70e266a
-
SSDEEP
12288:r9djfuZmvMyx1rF+LYkvaQIbuSWkTLRITl3D:rXWXmRF+LFvGuMSD
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 1 IoCs
-
Masslogger family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2487b12f52b803f5d38b3bb9388b039bf4f58c4b5d192d50da5fa047e9db828b.exe"C:\Users\Admin\AppData\Local\Temp\2487b12f52b803f5d38b3bb9388b039bf4f58c4b5d192d50da5fa047e9db828b.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\2487b12f52b803f5d38b3bb9388b039bf4f58c4b5d192d50da5fa047e9db828b.exe'2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
-
DNSapi.ipify.orgRemote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A104.26.13.205api.ipify.orgIN A172.67.74.152api.ipify.orgIN A104.26.12.205 -
GEThttp://api.ipify.org/Remote address:104.26.13.205:80RequestGET / HTTP/1.1
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 25 Mar 2025 10:11:33 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 925d9ff7384a9858-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=42614&min_rtt=42614&rtt_var=21307&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=63&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
104.26.13.205:80http://api.ipify.org/http
HTTP Request
GET http://api.ipify.org/HTTP Response
200
-
8.8.8.8:53api.ipify.orgdns
DNS Request
api.ipify.org
DNS Response
104.26.13.205172.67.74.152104.26.12.205
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
536KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
620KB
-
Filesize
620KB
-
Filesize
620KB