General

  • Target

    32439b531876d0d85388dd99e7693bd5557266ac6b686ee18073272acba05109

  • Size

    877KB

  • Sample

    220525-bgph8adge5

  • MD5

    453319e8c688a32e6082215c5a352809

  • SHA1

    11b33cbb758a49082abced35ad2c44e971f2f2ff

  • SHA256

    32439b531876d0d85388dd99e7693bd5557266ac6b686ee18073272acba05109

  • SHA512

    f2e9ca362b003ec04f692e3fc52235a6643bfef0d7732f215818db19b207c46ffc638c44eda96a52f3b45a557fb8bed1e074d89e3813da9977393fea69032d65

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.6.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/25/2022 3:09:08 AM MassLogger Started: 5/25/2022 3:08:59 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\kesh.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Targets

    • Target

      kesh.exe

    • Size

      1.3MB

    • MD5

      aff458f89b918aca8c12c638ce8fece2

    • SHA1

      24bddc3fee66de67a6db095ed22033af895e7b41

    • SHA256

      3ce259abdca64cabc5ac51d1810ccff6a02fed247f4e65884d4fa4d23f18e086

    • SHA512

      ae8c5e8afcfad1359566dee132b24dca1f8e40d3eadac9302075bb326b10ee7e1de25de3f37957dd7c665b2eb3687afd824b35003918b68e4c83fda7d69ada17

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks