General

  • Target

    8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

  • Size

    1.6MB

  • Sample

    220625-levbssegap

  • MD5

    701689a69877d6fd71e7872be77bcab6

  • SHA1

    dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c

  • SHA256

    8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

  • SHA512

    5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

Malware Config

Targets

    • Target

      8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

    • Size

      1.6MB

    • MD5

      701689a69877d6fd71e7872be77bcab6

    • SHA1

      dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c

    • SHA256

      8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

    • SHA512

      5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger Main Payload

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks