Malware sandboxing report by Hatching Triage

Target

35427be7bfbf3eed5c87a1567c0ede26d41c7653c3bb06e28c65f28d3263a5e4

Size

719KB

Sample

220521-pmt8jsffc7

Score

10^/10

MD5

affd2f6d147c7250f93a0e2f80e00fa9

SHA1

3ecf73be3b7ec7a4ee4e46d5d181407f55251621

SHA256

35427be7bfbf3eed5c87a1567c0ede26d41c7653c3bb06e28c65f28d3263a5e4

SHA512

1cf8b63c192c821aa80aeead3148b4d7961128c854b908dabad15170d0609d6d04b6d235806e68dc26bd2573d327def3a6580587e0c9bc51a2fdbce2253ed0e5

Extracted

Path	C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt
Family	masslogger
Ransom Note	################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:09:10 PM MassLogger Started: 5/21/2022 1:09:03 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Target

Quotation_Sheet_PO_including FOB_MOQ.PDF.exe

MD5

a59a17e0750535499b455d7e2bf4b4ff

Filesize

756KB

Score

10^/10

SHA1

d659c6f80171c2142aa0b9f0352205ae6a79ca4d

SHA256

c2be817a60ed0f80dc7f6e3e5eafc3db7a7a170e1df0015e2189cd9daecec6c8

SHA512

83bab7d199df6dadc8ca1d8c3cb38bc8cf466309d25ee92b3579ea30eac012154b20c9193367f09441619c0e08a0134123cf89d97972a43aaac42a9bff212354

Signatures

MassLogger
Description

Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
Tags

stealer spyware masslogger
MassLogger log file
Description

Detects a log file produced by MassLogger.
ReZer0 packer
Description

Detects ReZer0, a packer with multiple versions used in various campaigns.
Tags

rezer0
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Looks up external IP address via web service
Description

Uses a legitimate IP lookup service to find the infected system's external IP.
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

static1

Score

N/A

behavioral1

masslogger ransomware rezer0 spyware stealer

Score

10^/10

behavioral2

Score

7^/10

Extracted

Tags

Signatures

MassLogger

Description

Tags

MassLogger log file

Description

ReZer0 packer

Description

Tags

Checks computer location settings

Description

TTPs

Looks up external IP address via web service

Description

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2