General

  • Target

    f0023bfb3e94279390869945db35e97d284a4cf1ead2c2484d13488bfa63ef30

  • Size

    6.0MB

  • Sample

    220329-xhe7tseaak

  • MD5

    7cc8265de52ff104b9aafb8e7c16e7ad

  • SHA1

    f7bd5fd4ec32752306f07776e5915654f2473354

  • SHA256

    f0023bfb3e94279390869945db35e97d284a4cf1ead2c2484d13488bfa63ef30

  • SHA512

    db1f592a03bbc26d101ad91f3e4d634a607e652b3bb1bbc47dcbe419ed80c1e8bb1d96de54592619a593610ab1b1f36953ad4ac0b56d76724fc6a657eacd59cf

Malware Config

Targets

    • Target

      f0023bfb3e94279390869945db35e97d284a4cf1ead2c2484d13488bfa63ef30

    • Size

      6.0MB

    • MD5

      7cc8265de52ff104b9aafb8e7c16e7ad

    • SHA1

      f7bd5fd4ec32752306f07776e5915654f2473354

    • SHA256

      f0023bfb3e94279390869945db35e97d284a4cf1ead2c2484d13488bfa63ef30

    • SHA512

      db1f592a03bbc26d101ad91f3e4d634a607e652b3bb1bbc47dcbe419ed80c1e8bb1d96de54592619a593610ab1b1f36953ad4ac0b56d76724fc6a657eacd59cf

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks