Analysis
-
max time kernel
100s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
17/07/2020, 04:35
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe
Resource
win10v200430
General
-
Target
SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe
-
Size
1.3MB
-
MD5
669aaa441b0cf2654c259e4c24b50143
-
SHA1
ab3e801debb13208312a5cb508f2f7f8f87a5219
-
SHA256
bac48e9a9fad6c9afa0387fe592bb1eabd56cfbcbffef2bbc765e32de2846478
-
SHA512
91d4b8b82d62b2aeb7426280b7108a2eb3503c96e3e8aad0d6d331e3802143a838bd55a6b6836ec518288845c0a42048fa84795c1e524ce0307fe07f81d82023
Malware Config
Extracted
C:\Users\Admin\AppData\Local\E2C1E8F1FA\Log.txt
masslogger
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1756 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
yara_rule masslogger_log_file -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1836 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 26 PID 1204 wrote to memory of 1836 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 26 PID 1204 wrote to memory of 1836 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 26 PID 1204 wrote to memory of 1836 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 26 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 PID 1204 wrote to memory of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1204 set thread context of 1756 1204 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1756 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe 1756 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1756 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1756 SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1836 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1204 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ckevIEOoisAJt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp361C.tmp"2⤵
- Creates scheduled task(s)
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Fareit-FXH669AAA441B0C.26983.exe"{path}"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1756
-