General

  • Target

    PO NO. 369273.exe

  • Size

    847KB

  • Sample

    201109-daqehbapfj

  • MD5

    22ac585c773cef9b561008a2ee7e5ae1

  • SHA1

    307784c15ffd676c41fbe8ba8c7974e14b2a3210

  • SHA256

    1d36a49464b06e161a182dfe3b2631fac5c76556d61d401e385c235fd124f4a1

  • SHA512

    7ecd0ed67c6c1706645de88fcfdeac724e441c9a292089b9b98907478cd5f8682ccb3d6f57c5976b54918246c5aef57f7e82e19b8011be37ef5cc6aaaebe9aa2

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\60F5850B53\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 11/11/2020 5:47:44 AM MassLogger Started: 11/11/2020 5:47:39 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO NO. 369273.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:

Targets

    • Target

      PO NO. 369273.exe

    • Size

      847KB

    • MD5

      22ac585c773cef9b561008a2ee7e5ae1

    • SHA1

      307784c15ffd676c41fbe8ba8c7974e14b2a3210

    • SHA256

      1d36a49464b06e161a182dfe3b2631fac5c76556d61d401e385c235fd124f4a1

    • SHA512

      7ecd0ed67c6c1706645de88fcfdeac724e441c9a292089b9b98907478cd5f8682ccb3d6f57c5976b54918246c5aef57f7e82e19b8011be37ef5cc6aaaebe9aa2

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks