masslogger | 36a4c21f4c6cc8b615bea7141b510fdd5bbae68ee02b262f8215f88f64cf51f6 | Triage

Submit
Reports

Overview

overview

Static

static

CHIKWA..exe

windows7_x64

CHIKWA..exe

windows10_x64

Sharing

General

Target

CHIKWA..exe
Size

20KB
Sample

201201-3dphhhsbfn
MD5

a2efd1ac34c151a0099342619d5d046f
SHA1

d3c39ff8b425565983aa0277c348e7acb49c0007
SHA256

36a4c21f4c6cc8b615bea7141b510fdd5bbae68ee02b262f8215f88f64cf51f6
SHA512

b6a445a1d43cf529d054dc05a42c01337eb1fc3bfc5d00599ed75266ac3407652e73740a49cd0da77768be6e3caa9d98ce1fec636579ef60a8757f5901a70332

Score

10^/10

masslogger persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

CHIKWA..exe

Resource

win7v20201028

masslogger persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

CHIKWA..exe

Resource

win10v20201028

masslogger persistence spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.banoto.com
Port:
587
Username:
misinegol@banoto.com
Password:
ban127001

Targets

- Target
  
  CHIKWA..exe
- Size
  
  20KB
- MD5
  
  a2efd1ac34c151a0099342619d5d046f
- SHA1
  
  d3c39ff8b425565983aa0277c348e7acb49c0007
- SHA256
  
  36a4c21f4c6cc8b615bea7141b510fdd5bbae68ee02b262f8215f88f64cf51f6
- SHA512
  
  b6a445a1d43cf529d054dc05a42c01337eb1fc3bfc5d00599ed75266ac3407652e73740a49cd0da77768be6e3caa9d98ce1fec636579ef60a8757f5901a70332
Score

10^/10

masslogger persistence spyware stealer
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

massloggerpersistencespywarestealer

behavioral2

massloggerpersistencespywarestealer

© 2018-2024

Terms | Privacy