General

  • Target

    1df387bbcfc8d43b35a7f41993effb93d0a9676b2c30fc91639b4c62d36abf38

  • Size

    1.2MB

  • Sample

    220329-x4xc8sedcj

  • MD5

    d2faff0b76175db9510157cdca14595f

  • SHA1

    6da43da8954381d238b34f7e78a0d4989cc1e6dd

  • SHA256

    1df387bbcfc8d43b35a7f41993effb93d0a9676b2c30fc91639b4c62d36abf38

  • SHA512

    e8756d6dfa41a5ee71625f3b1d68825521a51f9c158d46e7d23fbe5d1d49f7ed783b3d642b115c8f19fc770c86116a42cd3682637fa7dbf30e69171912273031

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    bh-58.webhostbox.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#

Targets

    • Target

      1df387bbcfc8d43b35a7f41993effb93d0a9676b2c30fc91639b4c62d36abf38

    • Size

      1.2MB

    • MD5

      d2faff0b76175db9510157cdca14595f

    • SHA1

      6da43da8954381d238b34f7e78a0d4989cc1e6dd

    • SHA256

      1df387bbcfc8d43b35a7f41993effb93d0a9676b2c30fc91639b4c62d36abf38

    • SHA512

      e8756d6dfa41a5ee71625f3b1d68825521a51f9c158d46e7d23fbe5d1d49f7ed783b3d642b115c8f19fc770c86116a42cd3682637fa7dbf30e69171912273031

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks