General

  • Target

    c2bc8267e688046e6098da9f7d8621f98dccc412ac5b0c15abd60c83af0c3fe3

  • Size

    746KB

  • Sample

    220521-a778ksbdh5

  • MD5

    428b9ff9528a63ad66e87aa3b84c5749

  • SHA1

    2d6e6bdb382d25560a6d77519fd2c358f8c373f8

  • SHA256

    c2bc8267e688046e6098da9f7d8621f98dccc412ac5b0c15abd60c83af0c3fe3

  • SHA512

    837208ff566d83ef8b08bb97aa2df28231f7aacee862db6e97200fe9fd0c1d6f8e7950637fb48f42460b63500ec84bd9124907b63e40a6203565ff16cc3ac358

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:15:35 AM MassLogger Started: 5/21/2022 1:15:24 AM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe As Administrator: True

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Dmacdavid

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\EEB932C954\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:16:41 AM MassLogger Started: 5/21/2022 3:16:35 AM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe As Administrator: True

Targets

    • Target

      Halkbank_Ekstre_20200521_080918_33046.exe

    • Size

      843KB

    • MD5

      6f7418933a75224a3502a87f3f4d7310

    • SHA1

      c14fa0f144bd2bab22c5514df8aab8b69f827f38

    • SHA256

      06c6a06e460067910ca80f6a1bc57555aebb58a7c89ab1be632a72f6c1921a10

    • SHA512

      5a84325fa783746730caf8359fa63b1320fb775c8fd9273188bf6ddf7683758cb8a61d1900b64d5bc512c102546137e2580eeae9d6a2dbc0e08ca65caa495664

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks