masslogger | e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1 | Triage

Submit
Reports

Overview

overview

Static

static

TIRNAK.exe

windows7_x64

TIRNAK.exe

windows10_x64

Sharing

General

Target

TIRNAK.exe
Size

29KB
Sample

201215-9k9yn8545x
MD5

2cb0cf48d5eafbd16bbf8cdda749d628
SHA1

1b71449f295eae0994f4d62de838b1af168c0a09
SHA256

e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1
SHA512

1f6e0be8e3c66aa8a1ac7e41b26b0b29bf055039c3bd8116cb33aa5874077c1325fcbfc0a934e2fdd6da89acea34b1cf2875147f0470346afeca7e9193d79927

Score

10^/10

masslogger persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

TIRNAK.exe

Resource

win7v20201028

masslogger persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

TIRNAK.exe

Resource

win10v20201028

masslogger persistence spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.porathacorp.com
Port:
587
Username:
devarajan@porathacorp.com
Password:
susila@22

Targets

- Target
  
  TIRNAK.exe
- Size
  
  29KB
- MD5
  
  2cb0cf48d5eafbd16bbf8cdda749d628
- SHA1
  
  1b71449f295eae0994f4d62de838b1af168c0a09
- SHA256
  
  e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1
- SHA512
  
  1f6e0be8e3c66aa8a1ac7e41b26b0b29bf055039c3bd8116cb33aa5874077c1325fcbfc0a934e2fdd6da89acea34b1cf2875147f0470346afeca7e9193d79927
Score

10^/10

masslogger persistence spyware stealer
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

massloggerpersistencespywarestealer

behavioral2

massloggerpersistencespywarestealer

© 2018-2024

Terms | Privacy