General
Target

3dece552bae40022a24574f60b1dca098221bc92f04808839928b86e48eedcbd

Size

1MB

Sample

220521-pmkn4sffb8

Score
10/10
MD5

90be67cd4e708a8080bfebc282966207

SHA1

12a71a6483b1792bdf7091d4b960522b43988692

SHA256

3dece552bae40022a24574f60b1dca098221bc92f04808839928b86e48eedcbd

SHA512

788f1a4b77aa618d634eb9ef08baea270bd8555f7df86456fef64314c3998bfc955c15069355930b016bd8e08ac3b38c18d5fb55a9d8d3df1f8be4335d804716

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:09:54 PM MassLogger Started: 5/21/2022 1:09:43 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\781F780B4E\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:09:39 PM MassLogger Started: 5/21/2022 1:09:36 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:
Targets
Target

PAGO_25_.EXE

MD5

94f2908697b9f698d5634f675dc6a5c8

Filesize

1MB

Score
10/10
SHA1

9e6e83f145c01bedd3ef800b16e675d990f9d39e

SHA256

79789ad11d75901af6b26bcb620abc4db6c1391c00544bf6d293760f98c3df76

SHA512

042c67a7da5cdff3e159d918bb8fdde12d6b5d176e9b51460d4703ed68b33562c58d98cd140064fae4f336196a0e23efe78545f7bd621f77c305516b78b96ce5

Tags

Signatures

  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    Tags

  • MassLogger Main Payload

  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        Score
                        10/10

                        behavioral2

                        Score
                        10/10