General

  • Target

    Rmittance Advice 017700 9001.exe

  • Size

    989KB

  • Sample

    201205-pxkzf782re

  • MD5

    f71192136c55245729661eb552eaaf37

  • SHA1

    5fc3105a3a5346b76dd879f4af88d275376207c0

  • SHA256

    b5ac541a4baee69325c9f73ba6fe8e93d74fe3c302708373fab4fc0a55e3745b

  • SHA512

    6058fc16d032b69add57dc0f63e236e235eea114e0fdb48a78c72e8d119f06277af588b2fc3086ab1cbff49f82b909c156a244d1b5c5a513ca5f805c634ec252

Malware Config

Targets

    • Target

      Rmittance Advice 017700 9001.exe

    • Size

      989KB

    • MD5

      f71192136c55245729661eb552eaaf37

    • SHA1

      5fc3105a3a5346b76dd879f4af88d275376207c0

    • SHA256

      b5ac541a4baee69325c9f73ba6fe8e93d74fe3c302708373fab4fc0a55e3745b

    • SHA512

      6058fc16d032b69add57dc0f63e236e235eea114e0fdb48a78c72e8d119f06277af588b2fc3086ab1cbff49f82b909c156a244d1b5c5a513ca5f805c634ec252

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks