General

  • Target

    390c9d6078fafa5ac180640a91624c97bd890df83bd28935ed88da1c6d8f06f0

  • Size

    929KB

  • Sample

    220320-enrtpsgggn

  • MD5

    a2653b287dfa62a796468f3b4448ec4a

  • SHA1

    1991833faa3d891eada93247a1f71d807e09c4ee

  • SHA256

    390c9d6078fafa5ac180640a91624c97bd890df83bd28935ed88da1c6d8f06f0

  • SHA512

    3d4a226fba14ee9dfd4dd4b87ea497f89c52a6b626829ecd753175ca000c4901516ceaa93e0b96fd3ca5092bda296c596ed7ca25d696d31070cd8914b73da48e

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.karpen.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    M9%63P_G

Targets

    • Target

      390c9d6078fafa5ac180640a91624c97bd890df83bd28935ed88da1c6d8f06f0

    • Size

      929KB

    • MD5

      a2653b287dfa62a796468f3b4448ec4a

    • SHA1

      1991833faa3d891eada93247a1f71d807e09c4ee

    • SHA256

      390c9d6078fafa5ac180640a91624c97bd890df83bd28935ed88da1c6d8f06f0

    • SHA512

      3d4a226fba14ee9dfd4dd4b87ea497f89c52a6b626829ecd753175ca000c4901516ceaa93e0b96fd3ca5092bda296c596ed7ca25d696d31070cd8914b73da48e

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks