General

  • Target

    5c8dde2e68f3b7802a0055a6f7dfc29101060738238e16174fd94f98992d0c07

  • Size

    1.4MB

  • Sample

    220521-b6hrzadaf9

  • MD5

    1c78604342fa44e5d36f9de41e3faf33

  • SHA1

    b5eb7da522034574f08a25bb51e2422082bfe2c8

  • SHA256

    5c8dde2e68f3b7802a0055a6f7dfc29101060738238e16174fd94f98992d0c07

  • SHA512

    43aa27222cbef648c14b4f4b9e7af0178b6532fba75fc56a0798d81005e5648c382896ff8f51a35dc616720f9badc77329b2fc2927a5c9dede8ac017397f985a

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:38:51 AM MassLogger Started: 5/21/2022 2:38:40 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\QUOTATIO.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      QUOTATIO.EXE

    • Size

      879KB

    • MD5

      92e0317af7c6a205b639b5c89440e8c4

    • SHA1

      1430669d5c5e2dd0d85d10fec34de246cad2fa7a

    • SHA256

      fe9c4933496ef0423c6c1591571aedd5acf77e22b349d49fe83d9a6d80178c6c

    • SHA512

      a770d43d766f13114beb6fd31617277311e86fe0e80a81afb54486684805aa7cfd6a21ea6a4f797f6e7b37cc5addcceb79d575ae936d665e653b0b32a7034cae

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks