General

  • Target

    945de800ae672cc44cca74776ec9b3658aaa8dd14d6fef5643f6641a618a92e4

  • Size

    854KB

  • Sample

    220521-phx4msaegr

  • MD5

    571f3113c938be5a96aed8f2ff16427d

  • SHA1

    a102589d8545b44d1cc1504b17c077d6dc52b65b

  • SHA256

    945de800ae672cc44cca74776ec9b3658aaa8dd14d6fef5643f6641a618a92e4

  • SHA512

    3c659c96e1a6299507590ce6fb19d0d685b332de62c71d51deb6e32af934ce120069eb0a2f81621583a18cbc0df0bfeb15fb52918effbbd50a38be0b7eb2bac9

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\8506BBE7FF\Log.txt

Family

masslogger

Ransom Note
<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:31:27 PM MassLogger Started: 5/21/2022 2:31:20 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Targets

    • Target

      Order Inquiry with Design Samples.exe

    • Size

      897KB

    • MD5

      2ebff22a63913f818834de7c54a0e354

    • SHA1

      89a9d6a4d974fe7cde6ec896c5dc19283b0f63f4

    • SHA256

      2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043

    • SHA512

      f722929d3691cda5d078f477c6ecac777b465d0923931fcc62389a4b6b6ed1df35b6be2800ce9cf9e2c65b004adf85d7822a12c0ad07d13e6c05139c5f2c4dda

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks