General

  • Target

    PAY SLIP.doc

  • Size

    1.6MB

  • Sample

    201217-wjvqjsmwan

  • MD5

    badeca12a37ded3432f2c91260d438f7

  • SHA1

    d51667dcda40dcf5f99ecfcd04be6f121b4e44af

  • SHA256

    1fb6e6de431cb7352cb01ac2ce4a0cbeac9d50df267401a481f315b0e3bf7ff3

  • SHA512

    ed7cd72d0a1132128f5b7c0bd59838ab8000a097453345a838df762456ba5d974e54d5454e86a6b994104a70b9f73ba8dd747096fd25347dfd591daea65b762f

Malware Config

Targets

    • Target

      PAY SLIP.doc

    • Size

      1.6MB

    • MD5

      badeca12a37ded3432f2c91260d438f7

    • SHA1

      d51667dcda40dcf5f99ecfcd04be6f121b4e44af

    • SHA256

      1fb6e6de431cb7352cb01ac2ce4a0cbeac9d50df267401a481f315b0e3bf7ff3

    • SHA512

      ed7cd72d0a1132128f5b7c0bd59838ab8000a097453345a838df762456ba5d974e54d5454e86a6b994104a70b9f73ba8dd747096fd25347dfd591daea65b762f

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks