General

  • Target

    0b1e16ec3b9df30065ab12858d60db441afa2ad9f96e9a32e1f6c94eb675c71c

  • Size

    676KB

  • Sample

    220521-ppntjsahgn

  • MD5

    26d15bf678633c5fd4c87c3a7f022474

  • SHA1

    7f72d275b52e5775960ba5169b2fa956542cd53b

  • SHA256

    0b1e16ec3b9df30065ab12858d60db441afa2ad9f96e9a32e1f6c94eb675c71c

  • SHA512

    6ced1d9dc47c27ef00a91323d86220d3f1697b5569437991d544a9c1d2e61cee16e49ad711923a9b85fad75352e1b3e44fdf30d1aafe8d3cd3f8f52472d42cd0

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v2.0.0.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:38:52 PM MassLogger Started: 5/21/2022 12:38:41 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\RFQ #031-24062020.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    binu@metalfabme.icu
  • Password:
    @Brazil20,,

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v2.0.0.0 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:39:54 PM MassLogger Started: 5/21/2022 2:39:41 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\RFQ #031-24062020.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      RFQ #031-24062020.exe

    • Size

      729KB

    • MD5

      4400d1b5d0c379b8e5dade14b3346569

    • SHA1

      5d7a1f8777069ac6462cdcd7aaa885b10e23472f

    • SHA256

      851f1641fb283113cc5feb03c807bc82dc4d85ecd22ab8ff091a8edd71bb45ed

    • SHA512

      75a275fda65c52cc831fc4750aecfc23408c86db5e0532566701902c32ac3807a918a89286f3ff795173c0af7cc5cf8e5c63a3c61fbc5762ed0cfe3d89386dd6

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks