General

  • Target

    60091743pdf.exe

  • Size

    1.1MB

  • Sample

    200830-m9clz2tjpj

  • MD5

    c9b3ce0f3c3350621b6df632369a58f8

  • SHA1

    ac29d51d75264cad92760259a8b2a4c358516975

  • SHA256

    9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

  • SHA512

    96a329657409994e8485ded30d9dce953ee19489ab6242df62a2cade14ea107b328043c7ec7c024c3151370c41a16e12fa3ef3bc5371796d436c723b8a3da690

Malware Config

Targets

    • Target

      60091743pdf.exe

    • Size

      1.1MB

    • MD5

      c9b3ce0f3c3350621b6df632369a58f8

    • SHA1

      ac29d51d75264cad92760259a8b2a4c358516975

    • SHA256

      9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

    • SHA512

      96a329657409994e8485ded30d9dce953ee19489ab6242df62a2cade14ea107b328043c7ec7c024c3151370c41a16e12fa3ef3bc5371796d436c723b8a3da690

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks