General

  • Target

    4f1384b82b65febe08b4589e556b8637ab71453fcec2329294f8fe7354ee48a4

  • Size

    793KB

  • Sample

    220521-plpaxafef7

  • MD5

    b374804fea63176ab0f67af516db9a4c

  • SHA1

    4295307dfc3746050bda4ee59e183ad79c9ea86a

  • SHA256

    4f1384b82b65febe08b4589e556b8637ab71453fcec2329294f8fe7354ee48a4

  • SHA512

    8322b075915c84e2e8d77c2218236c74163d85d3fc48da2f4b5fb18d1085f79975c9298d26d29e6ae720ef48dcb49d41f278de583a4c8a5c5288521abc7fa983

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:08:56 PM MassLogger Started: 5/21/2022 3:08:38 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Outstanding PO - 14-Jun-2020.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:08:51 PM MassLogger Started: 5/21/2022 3:08:38 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Outstanding PO - 14-Jun-2020.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      Outstanding PO - 14-Jun-2020.exe

    • Size

      823KB

    • MD5

      7d1562810fa826af4ddcf7048be36b11

    • SHA1

      ea6c3ea9459c9fb8102ac5489a37f2e0c7fa999a

    • SHA256

      8caf81f11bf9898ce2e1e91ed450197ae089f1088c666a2d665ae589ceb12a7e

    • SHA512

      01152782402d1dfcfae3fae20c37527896d0cd3e5dc8026a7accf3f1ae16dd71e78152067c5eacf810447a74438ef042b265c319ce525557bd55a6c6b8be15c0

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks