General

  • Target

    PO-7546354.exe

  • Size

    821KB

  • Sample

    200708-h1lac1zals

  • MD5

    0e39e0f49e3f74b7fe492f2f9b4e0969

  • SHA1

    bc7fce8afc2a2d379e3e0714191dae859e3771a8

  • SHA256

    b8ac4a45dbd25ba8bb4f71d53bb8615f6d00b9be95b6e976567377957d92c428

  • SHA512

    a9b7539a91aa8593b5a15f2536069591e105ab75484a2bf3900aedbe9c2f6ab6bbed33ab000995f776471f51c86df17a17475c3997a000b854324d42eec4783c

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\E2C1E8F1FA\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 7/8/2020 10:06:37 AM MassLogger Started: 7/8/2020 10:06:31 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO-7546354.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    cruizjamesvhjkl@

Targets

    • Target

      PO-7546354.exe

    • Size

      821KB

    • MD5

      0e39e0f49e3f74b7fe492f2f9b4e0969

    • SHA1

      bc7fce8afc2a2d379e3e0714191dae859e3771a8

    • SHA256

      b8ac4a45dbd25ba8bb4f71d53bb8615f6d00b9be95b6e976567377957d92c428

    • SHA512

      a9b7539a91aa8593b5a15f2536069591e105ab75484a2bf3900aedbe9c2f6ab6bbed33ab000995f776471f51c86df17a17475c3997a000b854324d42eec4783c

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks