Malware sandboxing report by Hatching Triage

Target

4c8b0678d48632fa7a7ee87c0350c90a0b46b31e8a46fc701a932880a18fe878

Size

1MB

Sample

220521-plt66aagbn

Score

10^/10

MD5

c687540f6218d75fbe3faff438d8a4cf

SHA1

1a480afd41d10ae29a6d38b1a5c135edde6c1a09

SHA256

4c8b0678d48632fa7a7ee87c0350c90a0b46b31e8a46fc701a932880a18fe878

SHA512

3bccb8ac995a1438985b527443e3d5373f0858a647260d7bf3c8c605659fe96fb96e2169fd93b5b42d40e3de65ecff0b9f6c9b96b2cff0792ac85242412609e6

Extracted

Path	C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt
Family	masslogger
Ransom Note	################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:35:28 PM MassLogger Started: 5/21/2022 12:35:21 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\IMG_6110.scr MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Target

IMG_6110.SCR

MD5

a7f29df168c669851c1979dbc41c95b2

Filesize

920KB

Score

10^/10

SHA1

46d9da6397c063544cdd8dc9b9f8a65142aefa40

SHA256

bc6a63b07a18d95278dee0e0d77c1e91d4a80bfca9732f030ce069894f610b14

SHA512

79c92ba1352bff8f8f705b325a91196c867d45939ecf2bafac386c192637990d8a212d52b31bfb249794c28c1d1bee0c663ba827983b2fbb803271ca3446d0c6

Signatures

CoreEntity .NET Packer
Description

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Tags

coreentity
MassLogger
Description

Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Tags

stealer spyware masslogger
MassLogger log file
Description

Detects a log file produced by MassLogger.
ReZer0 packer
Description

Detects ReZer0, a packer with multiple versions used in various campaigns.
Tags

rezer0
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

Score

N/A

behavioral1

masslogger coreentity ransomware rezer0 spyware stealer

Score

10^/10

behavioral2

Score

5^/10

Extracted

Tags

Signatures

CoreEntity .NET Packer

Description

Tags

MassLogger

Description

Tags

MassLogger log file

Description

ReZer0 packer

Description

Tags

Checks computer location settings

Description

TTPs

Looks up external IP address via web service

Description

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2