masslogger | 4c8b0678d48632fa7a7ee87c0350c90a0b46b31e8a46fc701a932880a18fe878

General

Target

IMG_6110.scr
Size

920KB
MD5

a7f29df168c669851c1979dbc41c95b2
SHA1

46d9da6397c063544cdd8dc9b9f8a65142aefa40
SHA256

bc6a63b07a18d95278dee0e0d77c1e91d4a80bfca9732f030ce069894f610b14
SHA512

79c92ba1352bff8f8f705b325a91196c867d45939ecf2bafac386c192637990d8a212d52b31bfb249794c28c1d1bee0c663ba827983b2fbb803271ca3446d0c6

Score

10^/10

masslogger coreentity ransomware rezer0 spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:35:28 PM MassLogger Started: 5/21/2022 12:35:21 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\IMG_6110.scr MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1972-56-0x0000000000610000-0x0000000000618000-memory.dmp	coreentity

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1972-57-0x00000000080C0000-0x0000000008170000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IMG_6110.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	IMG_6110.scr

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG_6110.scr

description pid process target process

PID 1972 set thread context of 1720 1972 IMG_6110.scr IMG_6110.scr
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

IMG_6110.scr

pid process

1720 IMG_6110.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

IMG_6110.scr

description pid process

Token: SeDebugPrivilege 1720 IMG_6110.scr

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1972 set thread context of 1720	1972	IMG_6110.scr	IMG_6110.scr

pid	process
1720	IMG_6110.scr

description	pid	process
Token: SeDebugPrivilege	1720	IMG_6110.scr

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

IMG_6110.scr

description	pid	process	target process
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr
PID 1972 wrote to memory of 1720	1972	IMG_6110.scr	IMG_6110.scr

C:\Users\Admin\AppData\Local\Temp\IMG_6110.scr
"C:\Users\Admin\AppData\Local\Temp\IMG_6110.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\IMG_6110.scr
"{path}"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-82-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-112-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-578-0x0000000004E05000-0x0000000004E16000-memory.dmp

Filesize
68KB

Download
memory/1720-116-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-61-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-59-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-63-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-64-0x00000000004A33CE-mapping.dmp

Download
memory/1720-66-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-68-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-70-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-86-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-74-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-76-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-78-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-80-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-120-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-118-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-72-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-88-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-90-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-92-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-94-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-96-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-98-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-100-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-102-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-104-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-106-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-108-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-110-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-84-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1720-114-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1972-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1972-57-0x00000000080C0000-0x0000000008170000-memory.dmp

Filesize
704KB

Download
memory/1972-54-0x0000000001040000-0x000000000112C000-memory.dmp

Filesize
944KB

Download
memory/1972-56-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads