Malware-Traffic-Analysis.net - 2026-01-07: MassLogger infection from email attachment

2026-01-07 (WEDNESDAY): MASSLOGGER INFECTION FROM EMAIL ATTACHMENT

NOTICE:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2026-01-07-IOCs-for-MassLogger-activity.txt.zip 1.2 kB (1,245 bytes)
2026-01-07-MassLogger-infection-traffic.pcap.zip 12.5 kB (12,505 bytes)
2026-01-07-files-from-MassLogger-activity.zip 3.1 MB (3,053,331 bytes)

2026-01-07 (WEDNESDAY): MASSLOGGER INFECTION FROM EMAIL ATTACHMENT

INFECTION CHAIN:

- email --> attached archive --> extracted malware (MassLogger)

EMAIL INFORMATION:

- Received: from [77.83.39[.]187] (unknown [77.83.39[.]187]) [info removed] Wed, 07 Jan 2026 00:18:26 +0000 (UTC)
- From: =?UTF-8?B?RVJET8SeQU4gTUVUTw==?= 
- Subject: Coralp 31.12 fatura
- Date: 7 Jan 2026 00:18:21 +0000
- Attachment name: CORALP-YBY BUILDERS FREIGHT INVOICES AS OF 12.31.TAR

- Received: from [77.83.39[.]187] (unknown [77.83.39[.]187]) [info removed] Wed, 07 Jan 2026 00:52:44 +0000 (UTC)
- From: From: Dina Naamani
- Subject: Backcombined-Request for Quotation - 171595
- Date: 7 Jan 2026 00:52:43 +0000
- Attachment name: Request for Quotation - 171595.z

EMAIL ATTACHMENTS:

- SHA256 hash: 82710b020989bc478c77ccec052a6af50d93eb0b8cf6a2b72579bff21c8fe3c8
- File size: 491,998 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File name: CORALP-YBY BUILDERS FREIGHT INVOICES AS OF 12.31.TAR

- SHA256 hash: 241776fc69196b89dd17f06ccba50bd0d00dd1422c4ffbd1230eb828b021853b
- File size: 491,962 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File name: Request for Quotation - 171595.z

EXTRACTED EXE FOR MASSLOGGER:

- SHA256 hash: f1d8e427f3a3d10ea5ac9f28cbb930bf61e42672af641335d417b57bd2860005
- File size: 590,856 bytes
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File name: CORALP-YBY BUILDERS FREIGHT INVOICES AS OF 12.31.exe
- File name: Request for Quotation - 171595.exe
- Sandbox analysis: https://tria.ge/260107-wmt14sez3g

DATA EXFILTRATION INFO FOR MASSLOGGER:

- Host: cphost14.qhoster[.]net
- Data exfiltration email address: kingnovasend@mcnzxz[.]com

POST-INFECTION TRAFFIC:

- TCP port 80 - checkip.dyndns[.]org - GET/
- TCP port 443 - reallyfreegeoip[.]org - HTTPS traffic
- TCP port 587 - cphost14.qhoster[.]net - encrypted SMTP traffic

IMAGES

Shown above: One of the emails with an attached archive file for MassLogger.

Shown above: Traffic from an infection filtered in Wireshark.

Shown above: Example of a data exfiltration email sent by a MassLogger-infected host.

Click here to return to the main page.