General
Target

43924a3ea7c1961e5e368c057f2bf1a8a877eb8d68fba15c9c5d233f1db9b5b2

Size

808KB

Sample

220521-pmcnhaffa9

Score
10/10
MD5

c5bcc341c3f59b68aa15bfbc9e31229a

SHA1

45f52f33cee4b5c73ee0f23cd12ca5345b3bfacc

SHA256

43924a3ea7c1961e5e368c057f2bf1a8a877eb8d68fba15c9c5d233f1db9b5b2

SHA512

c2a87e1da650019d2cc222d4b4ba7c5c87f22a527b01ffe54bf8a52692ee4c05b8ca3cd85f7efc334362a708f7920186acc2ae0aec4719b64ae79086f3394b5e

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:09:48 PM MassLogger Started: 5/21/2022 3:09:30 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\ORDER FORM.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:10:06 PM MassLogger Started: 5/21/2022 3:09:42 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\ORDER FORM.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:
Targets
Target

ORDER FORM.exe

MD5

0faa3c5a42f64964e82ce6a1c46bd9f1

Filesize

1MB

Score
10/10
SHA1

457cb4a210e0c16e78442f1bf79c9826cf4f982b

SHA256

8b21c06bf03c5f788bb0354c625f343873bc834ac43b1d8fbc469fd64f215cf6

SHA512

e07faaee45573a7c2c01441d95b9768bb61bbdda0307354140a77487b3331eea3236e5e96ae62fa688311cb3207ad76acd639d12d2e10d059b7402ae5ff74e8a

Tags

Signatures

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    Tags

  • MassLogger Main Payload

  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        Score
                        N/A

                        behavioral2

                        Score
                        10/10