Malware Analysis Report

2025-04-14 05:15

Sample ID 201130-m5wqftjtj2
Target PAYMENT REMIT COPY 673578.pif.exe
SHA256 53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5
Tags
masslogger persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53683da1f2e21ec38952bbde9fd4e04330333cbda4185d1562f99ab31af17ea5

Threat Level: Known bad

The file PAYMENT REMIT COPY 673578.pif.exe was found to be: Known bad.

Malicious Activity Summary

masslogger persistence spyware stealer

MassLogger Main Payload

MassLogger

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-30 14:24

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-30 14:24

Reported

2020-11-30 14:27

Platform

win10v20201028

Max time kernel

119s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3584 set thread context of 204 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.220.115:80 api.ipify.org tcp

Files

memory/3584-2-0x0000000073900000-0x0000000073FEE000-memory.dmp

memory/3584-3-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/3584-5-0x0000000005C10000-0x0000000005C11000-memory.dmp

memory/3584-6-0x00000000057B0000-0x00000000057B1000-memory.dmp

memory/3584-7-0x0000000005760000-0x0000000005761000-memory.dmp

memory/3584-8-0x0000000007480000-0x0000000007518000-memory.dmp

memory/3584-9-0x0000000005B70000-0x0000000005B86000-memory.dmp

memory/204-11-0x000000000048209E-mapping.dmp

memory/204-10-0x0000000000400000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT REMIT COPY 673578.pif.exe.log

MD5 9e7845217df4a635ec4341c3d52ed685
SHA1 d65cb39d37392975b038ce503a585adadb805da5
SHA256 d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b
SHA512 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

memory/204-13-0x0000000073900000-0x0000000073FEE000-memory.dmp

memory/204-18-0x0000000006830000-0x0000000006831000-memory.dmp

memory/204-20-0x0000000007170000-0x0000000007171000-memory.dmp

memory/204-21-0x0000000007410000-0x0000000007411000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-30 14:24

Reported

2020-11-30 14:27

Platform

win7v20201028

Max time kernel

48s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\"" C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 476 set thread context of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe
PID 476 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe

"C:\Users\Admin\AppData\Local\Temp\PAYMENT REMIT COPY 673578.pif.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 174.129.214.20:80 api.ipify.org tcp

Files

memory/476-2-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/476-3-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/476-5-0x0000000004850000-0x00000000048E8000-memory.dmp

memory/476-6-0x0000000000A00000-0x0000000000A16000-memory.dmp

memory/1592-8-0x000000000048209E-mapping.dmp

memory/1592-7-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1592-9-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1592-10-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1592-11-0x0000000073F20000-0x000000007460E000-memory.dmp