Analysis
-
max time kernel
61s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28/11/2020, 11:22
Static task
static1
Behavioral task
behavioral1
Sample
5ba337af468de6f90b4c31ff4cef4c45.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5ba337af468de6f90b4c31ff4cef4c45.exe
Resource
win10v20201028
General
-
Target
5ba337af468de6f90b4c31ff4cef4c45.exe
-
Size
584KB
-
MD5
5ba337af468de6f90b4c31ff4cef4c45
-
SHA1
36d38196dd5867aa472fc80a970abc990524c6f0
-
SHA256
282d4efd74164b844bf5a0dc437745738f2f48070575d278e83128a09c6929d5
-
SHA512
aa0cf1972ea4b41ed38b76415fd0bc9c146bc7c9a7e5f33f1a3a77aa9ae25d318834e18738114b19b41570c75201ce7ba2f9bc3d093bfa72398e004a35de912e
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
resource yara_rule behavioral2/memory/1324-12-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral2/memory/1324-13-0x0000000000481BFE-mapping.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation 5ba337af468de6f90b4c31ff4cef4c45.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" 5ba337af468de6f90b4c31ff4cef4c45.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4068 set thread context of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1324 5ba337af468de6f90b4c31ff4cef4c45.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1324 5ba337af468de6f90b4c31ff4cef4c45.exe 1324 5ba337af468de6f90b4c31ff4cef4c45.exe 1324 5ba337af468de6f90b4c31ff4cef4c45.exe 1324 5ba337af468de6f90b4c31ff4cef4c45.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4068 5ba337af468de6f90b4c31ff4cef4c45.exe Token: SeDebugPrivilege 1324 5ba337af468de6f90b4c31ff4cef4c45.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1324 5ba337af468de6f90b4c31ff4cef4c45.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4068 wrote to memory of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76 PID 4068 wrote to memory of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76 PID 4068 wrote to memory of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76 PID 4068 wrote to memory of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76 PID 4068 wrote to memory of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76 PID 4068 wrote to memory of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76 PID 4068 wrote to memory of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76 PID 4068 wrote to memory of 1324 4068 5ba337af468de6f90b4c31ff4cef4c45.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1324
-