General
Target

95ddb0ade9a0eb44ed3b399983e71e9b2faabe80c1622fed848210d438de3254

Size

1MB

Sample

220521-phsh6afdb2

Score
10/10
MD5

e98a465439ab8a2d6d386ce028138545

SHA1

1c5749e3f96911dc8dddf7ac840b7de30dc9cb8d

SHA256

95ddb0ade9a0eb44ed3b399983e71e9b2faabe80c1622fed848210d438de3254

SHA512

4fff912ae0db79d3bb8199f6fbdb6cdb5f265f1441f9d77ec5ead703fe376e91bf778780e1df039907086a9bed2ab08663d4aef7931952af7d7615bd3452e7a3

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:07:23 PM MassLogger Started: 5/21/2022 3:07:05 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:07:25 PM MassLogger Started: 5/21/2022 3:07:19 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:
Targets
Target

DHL_MAY_.EXE

MD5

7f56bc3c202c7284b09d069b1fe4e0df

Filesize

1MB

Score
10/10
SHA1

5218641a49868df36c1ee409c22ce14e56b7dfb8

SHA256

15fca9cc94b9a0632fe98a3a15e0c75d1f3ff2ce42a47d7b9d76217ca4bfca05

SHA512

d0e7a060a67227891b54385432ae39f4572cb26e7c844b6d6222b7a454cbbeb9ab1013a157afaac605ea62b34b023e2d02b30eae9abea23b4b1ce2d7b46fedf2

Tags

Signatures

  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    Tags

  • MassLogger Main Payload

  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        Score
                        10/10

                        behavioral2

                        Score
                        10/10