General

  • Target

    scan00465.pdf.exe

  • Size

    1.2MB

  • Sample

    201109-2p7cjf9ste

  • MD5

    52555fd6673c6f44b7b57d6e1833d1ef

  • SHA1

    6c7dc7a759845917b43da8d5dd73e8f34623adff

  • SHA256

    9ae31235da17306c07a77f94a3541a835f0033df9bc7636a39c984e8cea9e72a

  • SHA512

    a217c4dc99f575c76d3894f2a4e78d810d00a8e5423093c3e9e622b4f94f46261efb74be76278d72c139f0196d20774ecc0ceb2f670768932fcf4e439df38847

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\60F5850B53\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 7 Professional 64bit CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 11/10/2020 5:25:23 PM MassLogger Started: 11/10/2020 5:25:13 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.saritatravels.com
  • Port:
    587
  • Username:
    sumits@saritatravels.com
  • Password:
    sumits%$321

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\7C372DB998\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Persocon Processor 2.5+ GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 11/10/2020 5:25:14 PM MassLogger Started: 11/10/2020 5:25:09 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      scan00465.pdf.exe

    • Size

      1.2MB

    • MD5

      52555fd6673c6f44b7b57d6e1833d1ef

    • SHA1

      6c7dc7a759845917b43da8d5dd73e8f34623adff

    • SHA256

      9ae31235da17306c07a77f94a3541a835f0033df9bc7636a39c984e8cea9e72a

    • SHA512

      a217c4dc99f575c76d3894f2a4e78d810d00a8e5423093c3e9e622b4f94f46261efb74be76278d72c139f0196d20774ecc0ceb2f670768932fcf4e439df38847

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks