Overview

overview

10

Static

static

MBin.exe

windows7_x64

10

MBin.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    78522b2700bd1d3087f1a31f311db0937b5cc65f6ab635e08f184e6021ff3ee2

  • Size

    683KB

  • Sample

    220503-zekn9acba5

  • MD5

    f9dcbd440ab4301f797a50088246feb6

  • SHA1

    336355f6a0bbdb2390f0870e5e604eb7d31d005a

  • SHA256

    78522b2700bd1d3087f1a31f311db0937b5cc65f6ab635e08f184e6021ff3ee2

  • SHA512

    b5aa0cd8fc3989bd6cd0c0a6c39d35f269e35012f0b038669b3d5ebd65176c4594de02c27b4636f9696f61f6744ea41059d6492c14dd3025cf583c25cfd0e629

Score
10/10
massloggercollectionevasionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      MBin.exe

    • Size

      929KB

    • MD5

      c4cf28c1d5e4da94c3391b90cd91671d

    • SHA1

      2c0db45e4852ab67255f78fe6921ada7a305244e

    • SHA256

      433c68e89fe741e7ec59e064861baf726ab0b8637849d9d92fa5e3a2819d211c

    • SHA512

      23590c2584a04127ec7c75f5f642a6884715390158b897e3617d4cbd536d6369388a0f3cce6d926ae7bf3e149d4cc8c99f82a35e340553421411d1c624506f39

    Score
    10/10
    massloggercollectionevasionpersistencespywarestealertrojan

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

      stealerspywaremasslogger

    • MassLogger Main Payload

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

4
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks