Overview

overview

10

Static

static

scan00465.pdf.exe

windows7_x64

10

scan00465.pdf.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05b37fed91a4de9d7442349ccd379719c3b9dd9b220d28b702adfb25f05d010c

  • Size

    904KB

  • Sample

    220520-p9kmmacge9

  • MD5

    443e88cebec0121202f20edf999ef955

  • SHA1

    01a386556ad98eff5ed212fae02f7d3cdf601113

  • SHA256

    05b37fed91a4de9d7442349ccd379719c3b9dd9b220d28b702adfb25f05d010c

  • SHA512

    cd4fb0c56a8dbb78b451d513d0f96234328c4c5dacd1e8379a91b99d4c33454f487b3826ebabed312761ed7af2dfbc40b3baa3f7c9abdf3c6dadfb91f88defbc

Score
10/10
massloggercollectionransomwarerezer0spywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/20/2022 3:06:10 PM MassLogger Started: 5/20/2022 3:05:56 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\scan00465.pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.saritatravels.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    sumits%$321

Targets

    • Target

      scan00465.pdf.exe

    • Size

      1.1MB

    • MD5

      6518afc08223493b4e6303248a6c70d0

    • SHA1

      e0b419b7f13e1271f32b46551febed8d5168f328

    • SHA256

      f98d355a4771e886220488b0bffa005af9769480cde5aad275d4166c2f9b2e48

    • SHA512

      85a3956cccf90116220b6cd6bc63898806bc703589d5e5d7ccc4bfc13a0908ea3538d4b5dbc7af075e11c016f18029e11a7c510ed1af393f4e1ef9244cc71813

    Score
    10/10
    massloggercollectionransomwarerezer0spywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks