Overview

overview

10

Static

static

20200408__...LS.exe

windows7_x64

10

20200408__...LS.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a7356c1b5bd52aa3e0fe04f9084b27d1c30b21ab02b7cb3dc12b7dd47728805d

  • Size

    892KB

  • Sample

    220520-rvn3lsgdh8

  • MD5

    28f3c1353ab364145ad744d3440a5904

  • SHA1

    cd1183784e979c4ef3ca4a7b2413e2d5099e201d

  • SHA256

    a7356c1b5bd52aa3e0fe04f9084b27d1c30b21ab02b7cb3dc12b7dd47728805d

  • SHA512

    e9f9bb4fcd3dcd88fd0be9d4651a85d7dcab26b62a698892b650966f9359016c000730724443a8c6b99387050fa9a1ef31893f0daef148c0d317ceca724d8e38

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
<|| v2.2.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/20/2022 3:41:45 PM MassLogger Started: 5/20/2022 3:41:34 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\20200408__001003001001.XLS.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| USB Spread ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Extracted

Path

C:\Users\Admin\AppData\Local\19E979543A\Log.txt

Family

masslogger

Ransom Note
<|| v2.2.0.0 ||> User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/20/2022 5:41:09 PM MassLogger Started: 5/20/2022 5:40:56 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\20200408__001003001001.XLS.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| USB Spread ||> Disabled <|| Downloader ||> Disabled <|| Bot Killer ||> Disabled <|| Window Searcher ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Targets

    • Target

      20200408__001003001001.XLS.exe

    • Size

      1.2MB

    • MD5

      8b13b35d3207a2dd036004fa35a91606

    • SHA1

      fd98311b1e629afa8d519a7005b0b9f578006cf9

    • SHA256

      f7c64b437d10f5483b3a78cbf4a08f22cd829c60515c312d2bd21e1a37e250ce

    • SHA512

      156eaf124b66f31274547f31a53863471a853c9afde4787730fb97bd447d933ce4b5d8e0720662480cf65564e1e96ef9325b41b56788a057b4ef1e73b6b48693

    Score
    10/10
    massloggercollectionransomwarespywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks