3ecc0863d79785e8b6cb8bf003fcff6c41195e278aaed426ed26144b11d3710c

General
Target

3ecc0863d79785e8b6cb8bf003fcff6c41195e278aaed426ed26144b11d3710c

Size

2MB

Sample

220521-pxv8lagbd7

Score
10 /10
MD5

e44b3f131a4d35aea1f0990816b944f0

SHA1

6ee21f16b4c5422108166a05af9768e3317f8be8

SHA256

3ecc0863d79785e8b6cb8bf003fcff6c41195e278aaed426ed26144b11d3710c

SHA512

d5c6f470d90f7b68ed46103127a312ca93eed173ca6d1e2b4af0fc695fbdda01bcd09d00641d9a65076a070cd2bad442b33c327322e6e8cc3ce842d6ac296b19

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt
Family masslogger
Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:16:47 PM MassLogger Started: 5/21/2022 3:16:36 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO_75463.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Extracted

Credentials

Protocol: smtp

Host: smtp.yandex.ru

Port: 587

Username: cruizjames@yandex.ru

Password: cruizjamesvhjkl@

Extracted

Path C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt
Family masslogger
Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 10 Pro64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:16:38 PM MassLogger Started: 5/21/2022 3:16:35 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\PO_75463.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:
Targets
Target

PO_75462.EXE

MD5

22dbfe74635797260671cd5dbbf0a3bc

Filesize

768KB

Score
10/10
SHA1

8cbdde1a2319ee60c9f6a9e05d2879362ab44668

SHA256

6a83f449fc1dd1f88e89ba47a29c8e3a12b04145ae4377cddc5ca5a93ead0c91

SHA512

713fa04c7dbf9612bf69336d0cc3b56f433db712a516a6496160706135fad58e8a31cb2a54e893ecebb49b34bf7466b330d44f1e9446fde0af9cda3f118eb88e

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

Target

PO_75463.EXE

MD5

0e39e0f49e3f74b7fe492f2f9b4e0969

Filesize

821KB

Score
10/10
SHA1

bc7fce8afc2a2d379e3e0714191dae859e3771a8

SHA256

b8ac4a45dbd25ba8bb4f71d53bb8615f6d00b9be95b6e976567377957d92c428

SHA512

a9b7539a91aa8593b5a15f2536069591e105ab75484a2bf3900aedbe9c2f6ab6bbed33ab000995f776471f51c86df17a17475c3997a000b854324d42eec4783c

Tags

Signatures

  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    Tags

  • MassLogger Main Payload

  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation