masslogger

General

Target

967829fdb0b2f1b7a86923187553ebf53066b92d543ca6d2587519a9700999da
Size

1.9MB
Sample

220521-ad2hyaaba2
MD5

4ccdf3b0fbdeaaefa11e991ea19d18b4
SHA1

fe7f5e0ec4fa6f0385c8977dac3eb4460cad58aa
SHA256

967829fdb0b2f1b7a86923187553ebf53066b92d543ca6d2587519a9700999da
SHA512

d8d496905afcf3fbbc341d3ccb611a02678e74ed2de550d30b927fb2aedee36b6fd1b1e53b56f9e633e446d0cbf1877d9bb94da02bd126b7bc6eefaaac1c214a

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:18:47 AM MassLogger Started: 5/21/2022 12:18:36 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\781F780B4E\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:18:21 AM MassLogger Started: 5/21/2022 12:18:18 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

- Target
  
  IMAGE.EXE
- Size
  
  1.3MB
- MD5
  
  77fe809f6ab75c8e4ca3b09d79e7d1c5
- SHA1
  
  081154438bcc637acd03bb10e18c71755692ef09
- SHA256
  
  2f4324dda02f8721cf5c0c0ed404de8fedbc46cf8fb1dda0e3ec3d07d6fb42e0
- SHA512
  
  fd36cdffe011dce3104046769f60c5104a5f5c1e4045e82e749281d22ef2461969b41b064c20547fecb47e6c1f4c57fca73b367b307a35a952e8a9e694617a52
Score

10^/10

masslogger agilenet persistence ransomware spyware stealer
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- MassLogger log file
  Detects a log file produced by MassLogger.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

MassLogger Main Payload

MassLogger log file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2