Malware Analysis Report

2025-04-14 05:14

Sample ID 201130-kzdm7rysnj
Target PAYMENT REMIT COPY 673578.pif.exe
SHA256 53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5
Tags
masslogger persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5

Threat Level: Known bad

The file PAYMENT REMIT COPY 673578.pif.exe was found to be: Known bad.

Malicious Activity Summary

masslogger persistence spyware stealer

MassLogger

MassLogger Main Payload

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-30 14:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-30 14:25

Reported

2020-11-30 14:27

Platform

win7v20201028

Max time kernel

47s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 1756 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.66.103:80 api.ipify.org tcp

Files

memory/1756-2-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/1756-3-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1756-5-0x0000000004C40000-0x0000000004CD8000-memory.dmp

memory/1756-6-0x0000000000860000-0x0000000000876000-memory.dmp

memory/1464-7-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1464-8-0x000000000048209E-mapping.dmp

memory/1464-9-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1464-10-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1464-11-0x00000000749D0000-0x00000000750BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-30 14:25

Reported

2020-11-30 14:27

Platform

win10v20201028

Max time kernel

75s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 640 set thread context of 3008 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 174.129.214.20:80 api.ipify.org tcp

Files

memory/640-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

memory/640-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/640-5-0x0000000005300000-0x0000000005301000-memory.dmp

memory/640-6-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/640-7-0x0000000004E70000-0x0000000004E71000-memory.dmp

memory/640-8-0x0000000006B70000-0x0000000006C08000-memory.dmp

memory/640-9-0x00000000052C0000-0x00000000052D6000-memory.dmp

memory/3008-10-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3008-11-0x000000000048209E-mapping.dmp

memory/3008-13-0x0000000073E00000-0x00000000744EE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT REMIT COPY 673578.pif.exe.log

MD5 9e7845217df4a635ec4341c3d52ed685
SHA1 d65cb39d37392975b038ce503a585adadb805da5
SHA256 d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b
SHA512 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

memory/3008-18-0x00000000063D0000-0x00000000063D1000-memory.dmp

memory/3008-20-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

memory/3008-21-0x0000000006EB0000-0x0000000006EB1000-memory.dmp