Analysis
-
max time kernel
110s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 13:47
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10
General
-
Target
RFQ.exe
-
Size
1.3MB
-
MD5
b7988e14a7dc282e2d131776364aef0b
-
SHA1
6d8d7ba0e463c2ce49b54fe787ca1a9d2d0da1ac
-
SHA256
19d4521c89aa9d79db5c279ab7d68e413b796e53b72e3ffca4312a6705ff3c76
-
SHA512
b629c2604f46cc01ff146f3b92c1c2782f3c9d1bfb9f6932fbfb292c5c9885f0f190d137cd0141e178b5ba03a1812fe3e05eb4f53d8648ab692b312ab9c98270
Malware Config
Extracted
C:\Users\Admin\AppData\Local\E2C1E8F1FA\Log.txt
masslogger
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
wintom@wls-com.me - Password:
MORELOVE123
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ.exeRFQ.exedescription pid process Token: SeDebugPrivilege 1448 RFQ.exe Token: SeDebugPrivilege 1936 RFQ.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RFQ.exeRFQ.exepid process 1448 RFQ.exe 1448 RFQ.exe 1448 RFQ.exe 1448 RFQ.exe 1936 RFQ.exe 1936 RFQ.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
RFQ.exedescription pid process target process PID 1448 wrote to memory of 1260 1448 RFQ.exe schtasks.exe PID 1448 wrote to memory of 1260 1448 RFQ.exe schtasks.exe PID 1448 wrote to memory of 1260 1448 RFQ.exe schtasks.exe PID 1448 wrote to memory of 1260 1448 RFQ.exe schtasks.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe PID 1448 wrote to memory of 1936 1448 RFQ.exe RFQ.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
RFQ.exepid process 1936 RFQ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 1448 set thread context of 1936 1448 RFQ.exe RFQ.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RFQ.exepid process 1936 RFQ.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31AA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp31AA.tmp
-
memory/1260-2-0x0000000000000000-mapping.dmp
-
memory/1448-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1936-4-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1936-5-0x00000000004B2D6E-mapping.dmp
-
memory/1936-6-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1936-8-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB