masslogger | b84380296326ebf1af0d6a9188f7a3e989bc464c7a15785db8c452dba90752b6

General

Target

INV-COPY##5563164600.pdf.exe
Size

813KB
MD5

b62a4531bcc7386b73107176078547ef
SHA1

ce5eba00036bf8cdd3ba5bbd775a748d28d10871
SHA256

58eb028bec07f54d8878925ad98d3d75002077ba103d387fa15892d250ac1008
SHA512

f53352d49e6543220621e237b23b84365d8f028c0a9ff46eb5633a7f921d23926013b10efddc9a385ee6bbf7c70161c91fe5500fca992182c6118b7a278b1970

Score

10^/10

masslogger collection ransomware rezer0 spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:30:20 PM MassLogger Started: 5/21/2022 2:30:06 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\INV-COPY##5563164600.pdf.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1868-57-0x00000000057B0000-0x0000000005858000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1868-56-0x0000000005700000-0x00000000057AE000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INV-COPY##5563164600.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	INV-COPY##5563164600.pdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

Processes:

INV-COPY##5563164600.pdf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	INV-COPY##5563164600.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	INV-COPY##5563164600.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	INV-COPY##5563164600.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	INV-COPY##5563164600.pdf.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	INV-COPY##5563164600.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	INV-COPY##5563164600.pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

INV-COPY##5563164600.pdf.exe

pid process

1868 INV-COPY##5563164600.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INV-COPY##5563164600.pdf.exe

description pid process

Token: SeDebugPrivilege 1868 INV-COPY##5563164600.pdf.exe

flow	ioc
4	api.ipify.org

pid	process
1868	INV-COPY##5563164600.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1868	INV-COPY##5563164600.pdf.exe

outlook_office_path 1 IoCs

Processes:

INV-COPY##5563164600.pdf.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe

outlook_win_path 1 IoCs

Processes:

INV-COPY##5563164600.pdf.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV-COPY##5563164600.pdf.exe

C:\Users\Admin\AppData\Local\Temp\INV-COPY##5563164600.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INV-COPY##5563164600.pdf.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-54-0x0000000001050000-0x0000000001122000-memory.dmp

Filesize
840KB

Download
memory/1868-55-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1868-56-0x0000000005700000-0x00000000057AE000-memory.dmp

Filesize
696KB

Download
memory/1868-57-0x00000000057B0000-0x0000000005858000-memory.dmp

Filesize
672KB

Download
memory/1868-58-0x0000000000660000-0x00000000006A4000-memory.dmp

Filesize
272KB

Download
memory/1868-59-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads