General

  • Target

    affd41df487700a59f27d10e8a52a4fe7f10907f7bbf3f11d1e8b26e8435384d

  • Size

    1MB

  • Sample

    220521-pgnhtaaebq

  • MD5

    6b79d4c24e288805fcd3f4c91a933b40

  • SHA1

    8b14193350518e068ea3dc4df569c1c16fda4f19

  • SHA256

    affd41df487700a59f27d10e8a52a4fe7f10907f7bbf3f11d1e8b26e8435384d

  • SHA512

    beecadca4246d6bbaa678483b82da5d8320ccec0d21789a2b7a1a0bc0208db0483f3f30c5ecd626ca8e427c018b712dbee5a01f7a251689f343304dfee20139b

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:31:10 PM MassLogger Started: 5/21/2022 2:30:59 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\SKBMT__B.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:30:05 PM MassLogger Started: 5/21/2022 2:29:50 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\SKBMT__B.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      SKBMT__B.EXE

    • Size

      807KB

    • MD5

      848160f98c9f8649b24e626a9b2b771c

    • SHA1

      0f9b15af9c94d497979efc1ad64e81ce89a8ed76

    • SHA256

      4e232298aee519176835a2da80f0a04ac027ac235a5b5ea51974c66318b59245

    • SHA512

      235f7516b632632a79994cc7d35a725a141d88f301d63c40d4c68ed225075769e2aae6f2d5671c638c002d1ad136e718534517e17d4a206391e40e63610db242

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks