masslogger

General

Target

884d7afa364358317820b0aacc71b8dec7806bd6dc23df488a2df3a5d72b77a6
Size

637KB
Sample

220521-ag2ywaacb9
MD5

17360ed03a6e6240e878e1f307323061
SHA1

dd9113503e06fe55706236b4e5faebbb490e76ce
SHA256

884d7afa364358317820b0aacc71b8dec7806bd6dc23df488a2df3a5d72b77a6
SHA512

c2e6d4be60a48a7e8fb97a8966fc5d0e68d402de3ae9691d63a6503d43217eec0edfe50c903d0d787441e4c56a74b4774452d392a80c6cba8c7e68a8d6a16011

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:24:09 AM MassLogger Started: 5/21/2022 2:24:01 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:24:33 AM MassLogger Started: 5/21/2022 2:24:26 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:25:01 AM MassLogger Started: 5/21/2022 2:24:54 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Bot Killer ||> Disabled <|| Window Searcher ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:25:28 AM MassLogger Started: 5/21/2022 2:25:21 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Bot Killer ||> Disabled <|| Window Searcher ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Targets

- Target
  
  DHL Shipment Notification,PDF.exe
- Size
  
  978KB
- MD5
  
  9800e94ddea9137c64f0125f8ed1697b
- SHA1
  
  a482e5e542c30a7d64bf6173fef0ffac506b2839
- SHA256
  
  192fd3e7ebbf5b338a50b735cd8eae792246e618e3434c1eb0c69f7ef0eb7e05
- SHA512
  
  e03f859652d858c2d087d79d71e620e99b606a861dc2757a13261df6e77bb69910b576cd9e2af77a946cd070b4851f94d71c4d7c2e56556ddb3b372be7f3d69a
Score

10^/10

masslogger collection ransomware spyware stealer
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- MassLogger log file
  Detects a log file produced by MassLogger.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2