General

  • Target

    e398d25e5ee3fa2ef17eda10103e1c39c7ddc36b9ccd06d3de5c1cc25141fe76

  • Size

    949KB

  • Sample

    220521-cd5ayadga3

  • MD5

    a7bf1ba14bcca162e2c16645e3dfa1d9

  • SHA1

    a3f3f4ec3b702c5fbe3e6ae421962ea9f0c4e578

  • SHA256

    e398d25e5ee3fa2ef17eda10103e1c39c7ddc36b9ccd06d3de5c1cc25141fe76

  • SHA512

    864c9fbae030b6c299ee62cd1e5f470689aba14e84e9ccd3a5d3f25633eea06b0848e1eeedbc4fc014fd554b89a94d706e0638f07efc7142a6b6bb0f088642ac

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 5:01:48 AM MassLogger Started: 5/21/2022 5:01:38 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\order.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    elomma5665@gmail.com
  • Password:
    chinelomywife2018

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 5:01:13 AM MassLogger Started: 5/21/2022 5:01:08 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\order.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      order.exe

    • Size

      1.3MB

    • MD5

      db0fbf9c80238f34c22726ca4bfa6759

    • SHA1

      d1fd22f57ad0fb02f0f8ac4d31b31d2f191e0f27

    • SHA256

      a643a629e8acc513e9c6d51842fe1775208b64c4e1e20036fa52b7038ecf2c25

    • SHA512

      226138cca5053dd91cb08b3d30dd34f37074e63cd698e676092374f1468d0a8045b42c1ec1f224d59a06324f268676771c068bb181b48f597ee9eed60d7eaf62

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks