masslogger

General

Target

422f3b1774d6e486dcf3243ab8bd4b5a898e74d166c6a085174d4691177a4810
Size

1.5MB
Sample

220524-rv515aedf9
MD5

cf27e337a9d16df3db80e87ad9eb32c9
SHA1

9dad4990845987bb59d6de330239aa1d74705765
SHA256

422f3b1774d6e486dcf3243ab8bd4b5a898e74d166c6a085174d4691177a4810
SHA512

b4c688053bb41b147f5efd40f0a369263c46aba511c2cb33ab3b590216bba77e5263a7abd9956438eb9f9869713a11bcf3fdca54b6c27f776237d41c3c1ab223

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/24/2022 3:03:16 PM MassLogger Started: 5/24/2022 3:03:09 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

- Target
  
  422f3b1774d6e486dcf3243ab8bd4b5a898e74d166c6a085174d4691177a4810
- Size
  
  1.5MB
- MD5
  
  cf27e337a9d16df3db80e87ad9eb32c9
- SHA1
  
  9dad4990845987bb59d6de330239aa1d74705765
- SHA256
  
  422f3b1774d6e486dcf3243ab8bd4b5a898e74d166c6a085174d4691177a4810
- SHA512
  
  b4c688053bb41b147f5efd40f0a369263c46aba511c2cb33ab3b590216bba77e5263a7abd9956438eb9f9869713a11bcf3fdca54b6c27f776237d41c3c1ab223
Score

10^/10

masslogger agilenet ransomware spyware stealer
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- MassLogger log file
  Detects a log file produced by MassLogger.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

MassLogger Main Payload

MassLogger log file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2