#MassLogger_180820

1. #IOC #OptiData #VR #MassLogger #NET #Stealer #RAR #EXE #PowerShell
2.  
3. https://pastebin.com/4uXgesYV
4.  
5. MassLogger identified with help of @James_inthe_box
6. Binaries was correctly decoded by @ni_fi_70
7.  
8. FAQ:
9. https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7
10. https://github.com/advanced-threat-research/Yara-Rules/blob/master/malware/MALW_masslogger_stealer.yar
11. https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html
12. https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/
13. https://fr3d.hk/blog/masslogger-frankenstein-s-creation
14.  
15. attack_vector
16. --------------
17. email attach .dat (RAR) > EXE > PowerSHelll > GET .jpg > decode > inject > steal
18.  
19. email_headers
20. --------------
21. Return-Path: <europamarket@ukr.net>
22. Received: from diez.sitserver.es (localhost.localdomain [127.0.0.1])
23. by diez.sitserver.es (Postfix) with ESMTPSA id E09911203E87;
24. Received: from r-199-61-62-5.ff.avast.com (r-199-61-62-5.ff.avast.com
25. [5.62.61.199]) by webmail.publiactiva.com (Horde Framework)
26. Date: Tue, 18 Aug 2020 05:53:43 +0000
27. From: europamarket@ukr.net
28. Subject: Fwd: Супровідний платіж 18-18-2020 08:49:43
29. User-Agent: Horde Application Framework 5
30. X-FE-ORIG-ENV-FROM: europamarket@ukr.net
31. X-FEAS-CLIENT-IP: 95.216.245.200
32.  
33. files
34. --------------
35. SHA-256 21bb50ff9f59c9381ba79763f53ee12563502fd647ae20f54868074640a4911d
36. File name Untitled attachment 00182.dat [ RAR archive data, vc1, Locked, os: OS/2 ]
37. File size 24.01 KB (24586 bytes)
38.  
39. SHA-256 2f49691118a908eb48c777e70065854e619b438bc317199b3559a1d8d5cddc6d
40. File name Доказ оплати...exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
41. File size 53.50 KB (54784 bytes)
42.  
43. SHA-256 c06d5538f6d2e875d49601a403d1cbd3ac636004b4ee106f69a1aa2fa13aeabf
44. File name Q9.jpg [ASCII text, with very long lines, with no line terminators]
45. File size 5.38 MB (5640802 bytes)
46.  
47. SHA-256 9fa11ac7c21c590f61767f2cbf7f3e17235cd43bd0587875817d02a624e3c6a4
48. File name InstallUtil.exe.inactive [ .NET executable ]
49. File size 709.50 KB (726528 bytes)
50.  
51. SHA-256 82bd8e28f81160039e462330daee5190d7f474e76723aea057ddeadb201bc55c
52. File name beef.dll [.NET executable]
53. File size 25.00 KB (25600 bytes)
54.  
55. activity
56. **************
57. PL_SCR privatnidoktoricacak.com/Q9.jpg
58.  
59. C2 94.127.7.174
60. exfil on smtp.gmail.com
61.  
62. netwrk
63. --------------
64. [ssl]
65. smtp.gmail.com
66.  
67. [http]
68. 217.26.215.27 privatnidoktoricacak.com GET /Q9.jpg HTTP/1.1
69.  
70. comp
71. --------------
72. powershell.exe 3392 TCP 217.26.215.27 80 ESTABLISHED
73.  
74. proc
75. --------------
76. C:\Users\operator\Desktop\1.exe
77.  
78. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $NjBXI='...';$jm=$NjBXI.Split('^') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
79.  
80. C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
81.  
82. persist
83. --------------
84. n/a
85.  
86. drop
87. --------------
88. n/a (all done by powershell)
89.  
90. # # #
91. https://www.virustotal.com/gui/file/21bb50ff9f59c9381ba79763f53ee12563502fd647ae20f54868074640a4911d/details
92. https://www.virustotal.com/gui/file/2f49691118a908eb48c777e70065854e619b438bc317199b3559a1d8d5cddc6d/details
93. https://www.virustotal.com/gui/file/c06d5538f6d2e875d49601a403d1cbd3ac636004b4ee106f69a1aa2fa13aeabf/details
94. https://www.virustotal.com/gui/file/9fa11ac7c21c590f61767f2cbf7f3e17235cd43bd0587875817d02a624e3c6a4/details
95.  
96.  
97. VR
98.