General

  • Target

    Quote.doc

  • Size

    323KB

  • Sample

    201215-53sxzq8asx

  • MD5

    b7ce7ad9f6a6a4d898f9851e92e7dd9c

  • SHA1

    a7cefdad7e19a306662ee6c00e058ebe43b9fcf9

  • SHA256

    a184462faa2f3a2a82439e7902fb5d47f4a6a784cff86931fb69ece85ad5d5e0

  • SHA512

    c266b17883891d194f002c28d81960922d8633cbb08094f590f92b2c6023248d0f6821d7b62655635e48c0629e3daaaa0b12cb79f202b376868fbf21e068dc47

Malware Config

Targets

    • Target

      Quote.doc

    • Size

      323KB

    • MD5

      b7ce7ad9f6a6a4d898f9851e92e7dd9c

    • SHA1

      a7cefdad7e19a306662ee6c00e058ebe43b9fcf9

    • SHA256

      a184462faa2f3a2a82439e7902fb5d47f4a6a784cff86931fb69ece85ad5d5e0

    • SHA512

      c266b17883891d194f002c28d81960922d8633cbb08094f590f92b2c6023248d0f6821d7b62655635e48c0629e3daaaa0b12cb79f202b376868fbf21e068dc47

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks