General

  • Target

    70% Balance Payment.doc

  • Size

    1.5MB

  • Sample

    201217-4yffk8vs4n

  • MD5

    63e67b366f23b4d30c4fdb120a476721

  • SHA1

    75f61f87cb74992b86b6c1ddab2c4c2c53196b54

  • SHA256

    d406b975d0f2b8252426508b73d1df1241e4272043ed22c9e64ad2d6ee4f45a9

  • SHA512

    c4a6c0680e236df043650df53aca101f3324e2667e3d7ff5e6e18b26b4580b0369d4390eb2ff243c9390d003d0cf43d4019e0be9c78f32135dc7b2f75fb7b358

Malware Config

Targets

    • Target

      70% Balance Payment.doc

    • Size

      1.5MB

    • MD5

      63e67b366f23b4d30c4fdb120a476721

    • SHA1

      75f61f87cb74992b86b6c1ddab2c4c2c53196b54

    • SHA256

      d406b975d0f2b8252426508b73d1df1241e4272043ed22c9e64ad2d6ee4f45a9

    • SHA512

      c4a6c0680e236df043650df53aca101f3324e2667e3d7ff5e6e18b26b4580b0369d4390eb2ff243c9390d003d0cf43d4019e0be9c78f32135dc7b2f75fb7b358

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks