General
Target

4c8b0678d48632fa7a7ee87c0350c90a0b46b31e8a46fc701a932880a18fe878

Size

1MB

Sample

220521-plt66aagbn

Score
10/10
MD5

c687540f6218d75fbe3faff438d8a4cf

SHA1

1a480afd41d10ae29a6d38b1a5c135edde6c1a09

SHA256

4c8b0678d48632fa7a7ee87c0350c90a0b46b31e8a46fc701a932880a18fe878

SHA512

3bccb8ac995a1438985b527443e3d5373f0858a647260d7bf3c8c605659fe96fb96e2169fd93b5b42d40e3de65ecff0b9f6c9b96b2cff0792ac85242412609e6

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:35:28 PM MassLogger Started: 5/21/2022 12:35:21 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\IMG_6110.scr MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:
Targets
Target

IMG_6110.SCR

MD5

a7f29df168c669851c1979dbc41c95b2

Filesize

920KB

Score
10/10
SHA1

46d9da6397c063544cdd8dc9b9f8a65142aefa40

SHA256

bc6a63b07a18d95278dee0e0d77c1e91d4a80bfca9732f030ce069894f610b14

SHA512

79c92ba1352bff8f8f705b325a91196c867d45939ecf2bafac386c192637990d8a212d52b31bfb249794c28c1d1bee0c663ba827983b2fbb803271ca3446d0c6

Tags

Signatures

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    Tags

  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        Score
                        N/A

                        behavioral2

                        Score
                        5/10