General

  • Target

    Halkbank_Ekstre_20200630_080918_33024.exe

  • Size

    1.4MB

  • Sample

    200630-zmp7dp45mx

  • MD5

    11e9c56a731fbc422bf3cf39b31c107f

  • SHA1

    96dfe8d71945e32732895f5f43146225844e23de

  • SHA256

    97430106f3fbf62f0c11f473012392d5b9eaeade9a0f2c6c7ea21e8d6d69f02c

  • SHA512

    eb360b954c38cfbf4ba51fce9979fab1ef737a65709fa07ad20413a9b8b92b060bbf931a006a3030e027f0a2e67437ac14479042203c6efdb50fb12723dce984

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\E2C1E8F1FA\Log.txt

Family

masslogger

Ransom Note
################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.51 Location: United States OS: Microsoft Windows 7 Professional 64bit CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 6/30/2020 5:39:57 PM MassLogger Started: 6/30/2020 5:39:51 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe As Administrator: True

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    m4cfund@yandex.com
  • Password:
    Dmacdavid

Targets

    • Target

      Halkbank_Ekstre_20200630_080918_33024.exe

    • Size

      1.4MB

    • MD5

      11e9c56a731fbc422bf3cf39b31c107f

    • SHA1

      96dfe8d71945e32732895f5f43146225844e23de

    • SHA256

      97430106f3fbf62f0c11f473012392d5b9eaeade9a0f2c6c7ea21e8d6d69f02c

    • SHA512

      eb360b954c38cfbf4ba51fce9979fab1ef737a65709fa07ad20413a9b8b92b060bbf931a006a3030e027f0a2e67437ac14479042203c6efdb50fb12723dce984

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks