Analysis
-
max time kernel
75s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30/11/2020, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT REMIT COPY 673578.pif.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PAYMENT REMIT COPY 673578.pif.exe
Resource
win10v20201028
General
-
Target
PAYMENT REMIT COPY 673578.pif.exe
-
Size
611KB
-
MD5
7a2383c694b62f4e180ce68ca761407a
-
SHA1
4bb84adc5fa25b720776947e1d677a01e4e38fb5
-
SHA256
53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5
-
SHA512
a0732860c30f05470db2fc7d25cb3d8c8261729d7a2cbbd1d0f079a8bd72df7ae87a62d73c12ff29a4cf5540972b0abd17daeaa78537dc3e8b7a9a15e55dbd75
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
resource yara_rule behavioral2/memory/3008-10-0x0000000000400000-0x0000000000488000-memory.dmp family_masslogger behavioral2/memory/3008-11-0x000000000048209E-mapping.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation PAYMENT REMIT COPY 673578.pif.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" PAYMENT REMIT COPY 673578.pif.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 640 set thread context of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3008 PAYMENT REMIT COPY 673578.pif.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3008 PAYMENT REMIT COPY 673578.pif.exe 3008 PAYMENT REMIT COPY 673578.pif.exe 3008 PAYMENT REMIT COPY 673578.pif.exe 3008 PAYMENT REMIT COPY 673578.pif.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 640 PAYMENT REMIT COPY 673578.pif.exe Token: SeDebugPrivilege 3008 PAYMENT REMIT COPY 673578.pif.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3008 PAYMENT REMIT COPY 673578.pif.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 640 wrote to memory of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78 PID 640 wrote to memory of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78 PID 640 wrote to memory of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78 PID 640 wrote to memory of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78 PID 640 wrote to memory of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78 PID 640 wrote to memory of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78 PID 640 wrote to memory of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78 PID 640 wrote to memory of 3008 640 PAYMENT REMIT COPY 673578.pif.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3008
-