masslogger

General

Target

8f454599de85acba90becf21df70d90ee0c760b58f7fb86b12a5d29d98efc62b
Size

782KB
Sample

220521-n4j88sefa7
MD5

937608e55e5fb44ee80054d3041591e7
SHA1

63d246ea1b93f4f93cb8abe8b005f6e80acf42d3
SHA256

8f454599de85acba90becf21df70d90ee0c760b58f7fb86b12a5d29d98efc62b
SHA512

b1c41df8f7f9337e4e2f49c03361d6c9229b5ff6958a73cd46bda0a2db16a338fc36eae6fab9da04cf2804859505c3977c16b6c9081a64cb10ccf5fb21dd70eb

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8506BBE7FF\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:50:19 PM MassLogger Started: 5/21/2022 2:50:08 PM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe As Administrator: True

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\781F780B4E\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:50:04 PM MassLogger Started: 5/21/2022 12:50:01 PM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe As Administrator: True

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
don8@intarscan.org
Password:
?qlva43X~o%I

Targets

- Target
  
  P.O250520.exe
- Size
  
  815KB
- MD5
  
  aa5fb011e59d1e2a8bef56360a4f31b4
- SHA1
  
  5c80c907e0792bdf8d6d4a48ebcbb3493570b78b
- SHA256
  
  5c826e35fe48ce5410e9c553242a83e71b2408a57d3256bcd0bd4334412010b0
- SHA512
  
  f2ca54693c8a00ed447f026d309a2654c05a448f1b4d435b6d7d719d9f1798c687cc3e307a3ec53f9d1fea73e448cae91b16ccf31b59b2f17bd7bd44a46f681d
Score

10^/10

masslogger coreentity ransomware rezer0 spyware stealer collection
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- MassLogger log file
  Detects a log file produced by MassLogger.
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

CoreEntity .NET Packer

MassLogger Main Payload

MassLogger log file

ReZer0 packer

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2