Resubmissions

16-06-2020 09:51

200616-esgd48lx3e 10

26-05-2020 12:05

200526-67qev7hzae 10

General

  • Target

    ZIRAT BANKA.IFT MESAJI

  • Size

    1.2MB

  • Sample

    200616-esgd48lx3e

  • MD5

    96463f1796847224b85a96752b59ff17

  • SHA1

    ca05cf6c0eac29a22d1296a15804cec36a908347

  • SHA256

    1f1e1c079253f774dc02a7ff4e103a781573288802ba8c87af6790626fbcfca6

  • SHA512

    cd27c0801d2d33ddb0ce26a769fd51e844f8ac7301079afab3c786822c529cb924b7db7e4a1992af77edf011ad4ffd586191a8754ca3738846605eb67acf3f5c

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 7 Professional 64bit CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 6/16/2020 11:52:28 AM MassLogger Started: 6/16/2020 11:52:25 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      ZIRAT BANKA.IFT MESAJI

    • Size

      1.2MB

    • MD5

      96463f1796847224b85a96752b59ff17

    • SHA1

      ca05cf6c0eac29a22d1296a15804cec36a908347

    • SHA256

      1f1e1c079253f774dc02a7ff4e103a781573288802ba8c87af6790626fbcfca6

    • SHA512

      cd27c0801d2d33ddb0ce26a769fd51e844f8ac7301079afab3c786822c529cb924b7db7e4a1992af77edf011ad4ffd586191a8754ca3738846605eb67acf3f5c

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks