General

  • Target

    53c05a4b75e539caed8efe3f60af055da27c014c2f8ba6f9a05981fc2e073e59

  • Size

    1.8MB

  • Sample

    220521-pljenaagar

  • MD5

    2b372a7077f8705f843f343dea500b85

  • SHA1

    8ec3551d5bce779e1425f0b6f6bcb0195043eace

  • SHA256

    53c05a4b75e539caed8efe3f60af055da27c014c2f8ba6f9a05981fc2e073e59

  • SHA512

    e24c15ca26303bb98ec5e9206345b829f598a343bad27e44bf3247387907272d1091d129bb16af0b3d668c08215b057f326db49fafa788108942b0c0100dc489

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.2.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:35:02 PM MassLogger Started: 5/21/2022 12:34:51 PM Interval: 6 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe As Administrator: True

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.sisbg.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    alibaba.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\781F780B4E\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.2.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:34:47 PM MassLogger Started: 5/21/2022 12:34:43 PM Interval: 6 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe As Administrator: True

Targets

    • Target

      PAGO_ADJ.EXE

    • Size

      1.2MB

    • MD5

      b69ef4759dddf4f965bf84d654a555ff

    • SHA1

      f894b62e29c20cdd562f02001c5ce30ca5609bb9

    • SHA256

      7ecde113e9bcf315e61368cce51deda2e51321684d9d8e943a31ab1d457988f7

    • SHA512

      529766ef4faa26b9c5e8a2bffd390c64d038724a7492caf5790550062c195ba5d6f2c2d97ad0e6fc5e2a03bf4fc3af6b41c0c4a3a7db9b0fa2e33884f38827cb

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks