General
Target

0b1e16ec3b9df30065ab12858d60db441afa2ad9f96e9a32e1f6c94eb675c71c

Size

676KB

Sample

220521-ppntjsahgn

Score
10/10
MD5

26d15bf678633c5fd4c87c3a7f022474

SHA1

7f72d275b52e5775960ba5169b2fa956542cd53b

SHA256

0b1e16ec3b9df30065ab12858d60db441afa2ad9f96e9a32e1f6c94eb675c71c

SHA512

6ced1d9dc47c27ef00a91323d86220d3f1697b5569437991d544a9c1d2e61cee16e49ad711923a9b85fad75352e1b3e44fdf30d1aafe8d3cd3f8f52472d42cd0

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v2.0.0.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:38:52 PM MassLogger Started: 5/21/2022 12:38:41 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\RFQ #031-24062020.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

Protocol: smtp

Host: mail.privateemail.com

Port: 587

Username: binu@metalfabme.icu

Password: @Brazil20,,

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v2.0.0.0 ################################################################# ### Logger Details ### User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:39:54 PM MassLogger Started: 5/21/2022 2:39:41 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\RFQ #031-24062020.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:
Targets
Target

RFQ #031-24062020.exe

MD5

4400d1b5d0c379b8e5dade14b3346569

Filesize

729KB

Score
10/10
SHA1

5d7a1f8777069ac6462cdcd7aaa885b10e23472f

SHA256

851f1641fb283113cc5feb03c807bc82dc4d85ecd22ab8ff091a8edd71bb45ed

SHA512

75a275fda65c52cc831fc4750aecfc23408c86db5e0532566701902c32ac3807a918a89286f3ff795173c0af7cc5cf8e5c63a3c61fbc5762ed0cfe3d89386dd6

Tags

Signatures

  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    Tags

  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Tasks

                  static1

                  Score
                  N/A