masslogger

General

Target

Wondershare Filmora X v10.1.20.15 (x64) Multilingual Portable\Wondershare Filmora X.exe
Size

271.0MB
Sample

211205-jl7jlacbdk
MD5

a460b6395dd176f992f5688661439e59
SHA1

548ac291d695b6d95653a4e693bd50ff2be8b520
SHA256

0c6db99feb8a07663bd79281076a90df80c3d46e010bfdd6fae3107c15e41d64
SHA512

a841b0d84ec8de4f469faf937f1179e806912f043b53c4812efa9198552932fe7cd46670873e2f72aeb3ba066fa624712f7855c2d808a08392b9aafeb7eb1354

Score

10^/10

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

MBOYO

C2

4Mekey.myftp.biz:4782

Mutex

50c0cc9d-df81-47e4-b3ed-27ffef03eebc

Attributes

encryption_key
DAE9E02E5E04D59D9AF2AA1D5E82248D5919AC6A
install_name
Windows Update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
System32

Targets

- Target
  
  Wondershare Filmora X v10.1.20.15 (x64) Multilingual Portable\Wondershare Filmora X.exe
- Size
  
  271.0MB
- MD5
  
  a460b6395dd176f992f5688661439e59
- SHA1
  
  548ac291d695b6d95653a4e693bd50ff2be8b520
- SHA256
  
  0c6db99feb8a07663bd79281076a90df80c3d46e010bfdd6fae3107c15e41d64
- SHA512
  
  a841b0d84ec8de4f469faf937f1179e806912f043b53c4812efa9198552932fe7cd46670873e2f72aeb3ba066fa624712f7855c2d808a08392b9aafeb7eb1354
Score

10^/10

discovery masslogger quasar mboyo spyware stealer suricata trojan upx
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Vidar log file
  Detects a log file produced by Vidar.
- suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
  suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Quasar Payload

Quasar RAT

Vidar log file

suricata: ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Blocklisted process makes network request

Executes dropped EXE

UPX packed file

Drops startup file

Loads dropped DLL

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2