Analysis

  • max time kernel
    61s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    28/11/2020, 11:22

General

  • Target

    5ba337af468de6f90b4c31ff4cef4c45.exe

  • Size

    584KB

  • MD5

    5ba337af468de6f90b4c31ff4cef4c45

  • SHA1

    36d38196dd5867aa472fc80a970abc990524c6f0

  • SHA256

    282d4efd74164b844bf5a0dc437745738f2f48070575d278e83128a09c6929d5

  • SHA512

    aa0cf1972ea4b41ed38b76415fd0bc9c146bc7c9a7e5f33f1a3a77aa9ae25d318834e18738114b19b41570c75201ce7ba2f9bc3d093bfa72398e004a35de912e

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe
    "C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe
      "C:\Users\Admin\AppData\Local\Temp\5ba337af468de6f90b4c31ff4cef4c45.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1324

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1324-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1324-23-0x0000000006E90000-0x0000000006E91000-memory.dmp

    Filesize

    4KB

  • memory/1324-21-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

    Filesize

    4KB

  • memory/1324-20-0x00000000064A0000-0x00000000064A1000-memory.dmp

    Filesize

    4KB

  • memory/1324-15-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

  • memory/4068-7-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

    Filesize

    4KB

  • memory/4068-11-0x00000000073F0000-0x0000000007406000-memory.dmp

    Filesize

    88KB

  • memory/4068-10-0x0000000007300000-0x0000000007301000-memory.dmp

    Filesize

    4KB

  • memory/4068-9-0x0000000007330000-0x0000000007331000-memory.dmp

    Filesize

    4KB

  • memory/4068-8-0x0000000005110000-0x00000000051AE000-memory.dmp

    Filesize

    632KB

  • memory/4068-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

    Filesize

    6.9MB

  • memory/4068-6-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

    Filesize

    4KB

  • memory/4068-5-0x0000000005410000-0x0000000005411000-memory.dmp

    Filesize

    4KB

  • memory/4068-3-0x0000000000610000-0x0000000000611000-memory.dmp

    Filesize

    4KB