General
-
Target
TIRNAK.exe
-
Size
29KB
-
Sample
201215-9k9yn8545x
-
MD5
2cb0cf48d5eafbd16bbf8cdda749d628
-
SHA1
1b71449f295eae0994f4d62de838b1af168c0a09
-
SHA256
e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1
-
SHA512
1f6e0be8e3c66aa8a1ac7e41b26b0b29bf055039c3bd8116cb33aa5874077c1325fcbfc0a934e2fdd6da89acea34b1cf2875147f0470346afeca7e9193d79927
Static task
static1
Behavioral task
behavioral1
Sample
TIRNAK.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
TIRNAK.exe
Resource
win10v20201028
Malware Config
Extracted
Protocol: smtp- Host:
mail.porathacorp.com - Port:
587 - Username:
devarajan@porathacorp.com - Password:
susila@22
Targets
-
-
Target
TIRNAK.exe
-
Size
29KB
-
MD5
2cb0cf48d5eafbd16bbf8cdda749d628
-
SHA1
1b71449f295eae0994f4d62de838b1af168c0a09
-
SHA256
e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1
-
SHA512
1f6e0be8e3c66aa8a1ac7e41b26b0b29bf055039c3bd8116cb33aa5874077c1325fcbfc0a934e2fdd6da89acea34b1cf2875147f0470346afeca7e9193d79927
Score10/10-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-