Overview

overview

10

Static

static

CATALOGUE ...DF.exe

windows7_x64

10

CATALOGUE ...DF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b3918b3f0ec8f321ec006fc4455e1e2c92f2122ae2767c5576a1d30cb0c764ef

  • Size

    938KB

  • Sample

    220521-n9xrhsaagq

  • MD5

    8bb85daeb342d6631bbb76e16e19113a

  • SHA1

    4a5de2eec3977d4d47709af15abb79a3e2c0234e

  • SHA256

    b3918b3f0ec8f321ec006fc4455e1e2c92f2122ae2767c5576a1d30cb0c764ef

  • SHA512

    c0fd14d528b1766c0780eabe6fa9be70e899fff402c258413111cc48c57d440ab63f92e56c17e0404f42423c24895eb24fc806b9f88e8731b46c2991cc22f3b8

Score
10/10
massloggercollectionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:16:47 PM MassLogger Started: 5/21/2022 2:16:34 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\CATALOGUE RMK TRADING LTD_PDF.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    miraclegomez@yandex.ru
  • Password:
    whayasaynewnew

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:16:41 PM MassLogger Started: 5/21/2022 2:16:37 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\CATALOGUE RMK TRADING LTD_PDF.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      CATALOGUE RMK TRADING LTD_PDF.exe

    • Size

      877KB

    • MD5

      dbea2b919f6457af66a3f4080d989f0f

    • SHA1

      5c10ba29f8038614b75dc73416d733851710857a

    • SHA256

      5f10de50b259a82ec6229168b4ed55aca2959b445051abd78d2cb2ab51f321f8

    • SHA512

      0902bc7f1e44fa97ce9fb267148a038dec848d66a2a9b961134b30a7b6e6dc3ce4247006637892265ea354150926aa37595153bdf055144e97f86bfca6b1bf4c

    Score
    10/10
    massloggercollectionransomwarespywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks