Analysis
-
max time kernel
115s -
max time network
133s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 06:33
Static task
static1
Behavioral task
behavioral1
Sample
GHB08072020.exe
Resource
win7
Behavioral task
behavioral2
Sample
GHB08072020.exe
Resource
win10v200430
General
-
Target
GHB08072020.exe
-
Size
1.2MB
-
MD5
c30cd0191fdbddd45e213a7b89256749
-
SHA1
54d240a372703587500ede18c1dc1bcf0c5972a6
-
SHA256
1216760b7cd8f2c6be3e6ddabaea8e1068faf26f97a5f9a1575a139904cd58d3
-
SHA512
b4eff82876ce64c8074e53e7921d5aee6afdd9b10c16297c5639f7d735bcc430429c260b3eacf92dc5ee9d114554f505efbe094ae2f7fd0b9a300b988a1ddbe4
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
Office@123
Signatures
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
GHB08072020.exedescription pid process target process PID 1152 wrote to memory of 1780 1152 GHB08072020.exe schtasks.exe PID 1152 wrote to memory of 1780 1152 GHB08072020.exe schtasks.exe PID 1152 wrote to memory of 1780 1152 GHB08072020.exe schtasks.exe PID 1152 wrote to memory of 1780 1152 GHB08072020.exe schtasks.exe PID 1152 wrote to memory of 1872 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1872 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1872 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1872 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1880 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1880 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1880 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1880 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1896 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1896 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1896 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1896 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1888 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1888 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1888 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1888 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe PID 1152 wrote to memory of 1904 1152 GHB08072020.exe GHB08072020.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
GHB08072020.exeGHB08072020.exepid process 1152 GHB08072020.exe 1152 GHB08072020.exe 1152 GHB08072020.exe 1152 GHB08072020.exe 1904 GHB08072020.exe 1904 GHB08072020.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GHB08072020.exedescription pid process target process PID 1152 set thread context of 1904 1152 GHB08072020.exe GHB08072020.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
GHB08072020.exepid process 1904 GHB08072020.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
GHB08072020.exeGHB08072020.exedescription pid process Token: SeDebugPrivilege 1152 GHB08072020.exe Token: SeDebugPrivilege 1904 GHB08072020.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GHB08072020.exepid process 1904 GHB08072020.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org
Processes
-
C:\Users\Admin\AppData\Local\Temp\GHB08072020.exe"C:\Users\Admin\AppData\Local\Temp\GHB08072020.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fyCvHhz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9DC.tmp"2⤵
- Creates scheduled task(s)
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\GHB08072020.exe"{path}"2⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\GHB08072020.exe"{path}"2⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\GHB08072020.exe"{path}"2⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\GHB08072020.exe"{path}"2⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\GHB08072020.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1904