General

  • Target

    f540b9fdb27c1e9e6c0c05a2c020044a.exe

  • Size

    863KB

  • Sample

    201109-5gn9tdgmna

  • MD5

    f540b9fdb27c1e9e6c0c05a2c020044a

  • SHA1

    ee4070cec57f16884fc511ee4a5b61d06585c6aa

  • SHA256

    a2c284a50d4fc05794e3bce123492bd9e547b272d9f7b87832fdc72b681580e7

  • SHA512

    101791d8c003b446f5f92b9186026a549993dd654e334e11dc41e92a232c49df7df83f232c96106fb7d6e94f8ced59a1165c4afe88c5bdec8a3f7a6bc462fd17

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\5FADD7138A\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Professional 64bit CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 11/10/2020 4:47:04 PM MassLogger Started: 11/10/2020 4:46:57 PM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe As Administrator: True

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEA604E53D\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Persocon Processor 2.5+ GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 11/10/2020 5:47:15 PM MassLogger Started: 11/10/2020 5:47:09 PM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe As Administrator: True

Targets

    • Target

      f540b9fdb27c1e9e6c0c05a2c020044a.exe

    • Size

      863KB

    • MD5

      f540b9fdb27c1e9e6c0c05a2c020044a

    • SHA1

      ee4070cec57f16884fc511ee4a5b61d06585c6aa

    • SHA256

      a2c284a50d4fc05794e3bce123492bd9e547b272d9f7b87832fdc72b681580e7

    • SHA512

      101791d8c003b446f5f92b9186026a549993dd654e334e11dc41e92a232c49df7df83f232c96106fb7d6e94f8ced59a1165c4afe88c5bdec8a3f7a6bc462fd17

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks