2026-01-07: MassLogger infection from email attachment

2026-01-07: MassLogger infection from email attachment
好的，我现在要帮用户总结这篇文章的内容，控制在100字以内。首先，我需要仔细阅读文章内容，找出关键信息。文章标题是关于2026年1月7日的MassLogger感染事件，通过电子邮件附件传播。主要内容包括感染链、电子邮件信息、附件详情、提取的可执行文件以及数据外泄信息。感染链是从电子邮件开始，附件是一个存档文件，解压后释放出MassLogger恶意软件。邮件中有两个附件，分别是一个.tar和一个.z文件，都是密码保护的zip存档。提取出来的exe文件是MassLogger的恶意软件。数据外泄部分提到使用了特定的主机和电子邮件地址进行数据传输。此外，感染后的流量涉及多个TCP端口和不同的服务。接下来，我需要将这些关键点浓缩到100字以内。重点包括：日期、传播方式（邮件附件）、恶意软件名称（MassLogger）、附件类型（密码保护zip）、数据外泄细节以及感染后的网络活动。确保语言简洁明了，避免使用复杂的术语。同时，按照用户的要求，不需要以“文章内容总结”等开头，直接描述即可。最后检查字数是否在限制内，并确保所有重要信息都被涵盖。 </think> 2026年1月7日报告称，MassLogger恶意软件通过伪装成发票或报价请求的电子邮件附件传播。附件为密码保护的ZIP存档文件，解压后释放出恶意PE可执行文件。该恶意软件会窃取用户数据并通过加密SMTP发送至指定邮箱地址，并与多个网络服务建立连接以进一步传播或收集信息。 2026-1-8 01:43:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:8 收藏

2026-01-07 (WEDNESDAY): MASSLOGGER INFECTION FROM EMAIL ATTACHMENT

NOTICE:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2026-01-07-IOCs-for-MassLogger-activity.txt.zip 1.2 kB (1,245 bytes)
2026-01-07-MassLogger-infection-traffic.pcap.zip 12.5 kB (12,505 bytes)
2026-01-07-files-from-MassLogger-activity.zip 3.1 MB (3,053,331 bytes)

2026-01-07 (WEDNESDAY): MASSLOGGER INFECTION FROM EMAIL ATTACHMENT

INFECTION CHAIN:

- email --> attached archive --> extracted malware (MassLogger)

EMAIL INFORMATION:

- Received: from [77.83.39[.]187] (unknown [77.83.39[.]187]) [info removed] Wed, 07 Jan 2026 00:18:26 +0000 (UTC)
- From: =?UTF-8?B?RVJET8SeQU4gTUVUTw==?= 
- Subject: Coralp 31.12 fatura
- Date: 7 Jan 2026 00:18:21 +0000
- Attachment name: CORALP-YBY BUILDERS FREIGHT INVOICES AS OF 12.31.TAR

- Received: from [77.83.39[.]187] (unknown [77.83.39[.]187]) [info removed] Wed, 07 Jan 2026 00:52:44 +0000 (UTC)
- From: From: Dina Naamani
- Subject: Backcombined-Request for Quotation - 171595
- Date: 7 Jan 2026 00:52:43 +0000
- Attachment name: Request for Quotation - 171595.z

EMAIL ATTACHMENTS:

- SHA256 hash: 82710b020989bc478c77ccec052a6af50d93eb0b8cf6a2b72579bff21c8fe3c8
- File size: 491,998 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File name: CORALP-YBY BUILDERS FREIGHT INVOICES AS OF 12.31.TAR

- SHA256 hash: 241776fc69196b89dd17f06ccba50bd0d00dd1422c4ffbd1230eb828b021853b
- File size: 491,962 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File name: Request for Quotation - 171595.z

EXTRACTED EXE FOR MASSLOGGER:

- SHA256 hash: f1d8e427f3a3d10ea5ac9f28cbb930bf61e42672af641335d417b57bd2860005
- File size: 590,856 bytes
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File name: CORALP-YBY BUILDERS FREIGHT INVOICES AS OF 12.31.exe
- File name: Request for Quotation - 171595.exe
- Sandbox analysis: https://tria.ge/260107-wmt14sez3g

DATA EXFILTRATION INFO FOR MASSLOGGER:

- Host: cphost14.qhoster[.]net
- Data exfiltration email address: kingnovasend@mcnzxz[.]com

POST-INFECTION TRAFFIC:

- TCP port 80 - checkip.dyndns[.]org - GET/
- TCP port 443 - reallyfreegeoip[.]org - HTTPS traffic
- TCP port 587 - cphost14.qhoster[.]net - encrypted SMTP traffic

IMAGES

Shown above: One of the emails with an attached archive file for MassLogger.

Shown above: Traffic from an infection filtered in Wireshark.

Shown above: Example of a data exfiltration email sent by a MassLogger-infected host.

Click here to return to the main page.

文章来源: https://www.malware-traffic-analysis.net/2026/01/07/index.html
如有侵权请联系:admin#unsafe.sh