Malware Analysis Report

2025-04-14 05:15

Sample ID 201127-3ssdzp4s86
Target 26-11-20_Dhl_Signed_document-pdf.exe
SHA256 fba68e2814abacdbe354eb421f5fd731a64cf8410b9ded4e914373a7863c2e99
Tags
masslogger persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fba68e2814abacdbe354eb421f5fd731a64cf8410b9ded4e914373a7863c2e99

Threat Level: Known bad

The file 26-11-20_Dhl_Signed_document-pdf.exe was found to be: Known bad.

Malicious Activity Summary

masslogger persistence spyware stealer

MassLogger

MassLogger Main Payload

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-27 14:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-27 14:10

Reported

2020-11-27 14:12

Platform

win7v20201028

Max time kernel

13s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe"

Network

N/A

Files

memory/1760-2-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/1760-3-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/1760-5-0x0000000004BC0000-0x0000000004C23000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-27 14:10

Reported

2020-11-27 14:12

Platform

win10v20201028

Max time kernel

19s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc245 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc245.exe\"" C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\26-11-20_Dhl_Signed_document-pdf.exe"

Network

Country Destination Domain Proto
N/A 52.109.8.21:443 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.164.148:80 api.ipify.org tcp
N/A 8.8.8.8:53 ecogasoline.com.pk udp
N/A 148.66.139.57:443 ecogasoline.com.pk tcp

Files

memory/756-2-0x00000000739A0000-0x000000007408E000-memory.dmp

memory/756-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/756-5-0x0000000005C40000-0x0000000005C41000-memory.dmp

memory/756-6-0x00000000057E0000-0x00000000057E1000-memory.dmp

memory/756-7-0x0000000005740000-0x0000000005741000-memory.dmp

memory/756-8-0x0000000007370000-0x00000000073D3000-memory.dmp

memory/756-805-0x000000001F010000-0x000000001F011000-memory.dmp

memory/756-806-0x000000001EFE0000-0x000000001EFE1000-memory.dmp

memory/756-807-0x000000001F330000-0x000000001F3B6000-memory.dmp

memory/756-808-0x0000000020110000-0x0000000020111000-memory.dmp

memory/756-809-0x00000000207E0000-0x00000000207E1000-memory.dmp

memory/756-810-0x00000000210D0000-0x00000000210D1000-memory.dmp

memory/756-811-0x0000000021030000-0x0000000021069000-memory.dmp

memory/756-812-0x0000000021170000-0x00000000211FD000-memory.dmp

memory/756-813-0x00000000210A0000-0x00000000210A1000-memory.dmp

memory/756-814-0x0000000021200000-0x0000000021201000-memory.dmp