General

  • Target

    95ddb0ade9a0eb44ed3b399983e71e9b2faabe80c1622fed848210d438de3254

  • Size

    1.9MB

  • Sample

    220521-phsh6afdb2

  • MD5

    e98a465439ab8a2d6d386ce028138545

  • SHA1

    1c5749e3f96911dc8dddf7ac840b7de30dc9cb8d

  • SHA256

    95ddb0ade9a0eb44ed3b399983e71e9b2faabe80c1622fed848210d438de3254

  • SHA512

    4fff912ae0db79d3bb8199f6fbdb6cdb5f265f1441f9d77ec5ead703fe376e91bf778780e1df039907086a9bed2ab08663d4aef7931952af7d7615bd3452e7a3

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:07:23 PM MassLogger Started: 5/21/2022 3:07:05 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:07:25 PM MassLogger Started: 5/21/2022 3:07:19 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      DHL_MAY_.EXE

    • Size

      1.3MB

    • MD5

      7f56bc3c202c7284b09d069b1fe4e0df

    • SHA1

      5218641a49868df36c1ee409c22ce14e56b7dfb8

    • SHA256

      15fca9cc94b9a0632fe98a3a15e0c75d1f3ff2ce42a47d7b9d76217ca4bfca05

    • SHA512

      d0e7a060a67227891b54385432ae39f4572cb26e7c844b6d6222b7a454cbbeb9ab1013a157afaac605ea62b34b023e2d02b30eae9abea23b4b1ce2d7b46fedf2

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks