masslogger

General

Target

a30b832b57390359990b3c114f97974d079c77c9a94d77c809d250cc56dfa70c
Size

837KB
Sample

220521-phbweaaeep
MD5

2186da778fcbe1c2eec0445d0db5745c
SHA1

87c2842ced0634b43c94841c849257ffa27d9a60
SHA256

a30b832b57390359990b3c114f97974d079c77c9a94d77c809d250cc56dfa70c
SHA512

5aca2966fc941601b07da8bee8a2c3172f8cbe7f5c3df0bb57f318952139b8eadf68ae82729c2af580701992e6796135aa5acaa1bcb721e4a9d90eff1c8bd623

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:31:14 PM MassLogger Started: 5/21/2022 2:30:43 PM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe As Administrator: True

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
?qlva43X~o%I

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F293CD6622\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:31:26 PM MassLogger Started: 5/21/2022 2:31:17 PM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe As Administrator: True

Targets

- Target
  
  PO#052620.exe
- Size
  
  916KB
- MD5
  
  6b9b5794e44f69ab2773ce2799463454
- SHA1
  
  5ae3669ecff1e3de5569d81a0c4bae495e4be457
- SHA256
  
  9c5b8535e2ac554768c5cfc3d655a3aed7647fe2280e66161a516296eb5a5918
- SHA512
  
  b5d666a93bd724e010fc63f5d70078c54a7a8bebf6aab647ad2a49d049d99703ac14ba2b7fe408632eef308d85af5b2725e89c18e193f2966ff0cb1b72460731
Score

10^/10

masslogger collection coreentity ransomware rezer0 spyware stealer
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- MassLogger log file
  Detects a log file produced by MassLogger.
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

CoreEntity .NET Packer

MassLogger Main Payload

MassLogger log file

ReZer0 packer

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2