Overview

overview

10

Static

static

10

DHL_MAY_.exe

windows7_x64

10

DHL_MAY_.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    436721c75699b2ced805e19545c98e72f8d9e3d2e93efdbba086911e98757036

  • Size

    1.9MB

  • Sample

    220521-pxlzxsbdcj

  • MD5

    bdc993a2fe4a8a10aa6814062e4408ff

  • SHA1

    c478c7c2604f066f71a4dd8a2938923f0cc7904f

  • SHA256

    436721c75699b2ced805e19545c98e72f8d9e3d2e93efdbba086911e98757036

  • SHA512

    4b1240a5e2bfaaa57b59fad71f9ea871faff02295103f4460edec1759a31446debefdcc41dfa7956c1a00f0c2a5a98b2582da4de57787686be42ad94a4d14c28

Score
10/10
massloggeragilenetransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 12:49:03 PM MassLogger Started: 5/21/2022 12:48:52 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:48:30 PM MassLogger Started: 5/21/2022 2:48:27 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      DHL_MAY_.EXE

    • Size

      1.3MB

    • MD5

      8f8abb6f33adbb7043c405bba2c19968

    • SHA1

      fcdd38b2b364d32b4294c3a0611f011afc0fd3f0

    • SHA256

      a3597ac0873ae3a71729eed1521710b6899ed9d886601b4b9e2ed207db1f087c

    • SHA512

      a04ebec5e31d4c91bfae3d601d91579e1d7c5ff08a8499b0c93faa53eab355ed137629806b18c655ee549d08272b8f5d3a608d526095e9fb7b601ffbbf5e15f3

    Score
    10/10
    massloggeragilenetransomwarespywarestealer

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks