Analysis
-
max time kernel
62s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01/12/2020, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
vessel details.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
vessel details.exe
Resource
win10v20201028
General
-
Target
vessel details.exe
-
Size
1.0MB
-
MD5
0cc939dccba0be64d2c6dc13e7b55729
-
SHA1
02d50dfe38ff1bc27d76ba3866d326f0a8777208
-
SHA256
373ff5729bbb58bba6a9426b0a35c58a921be8b76a3ccf1dd9f99f410af8dddd
-
SHA512
fff564d60bb71423007d24e3feda6288edf27fc65a1d2f02ffda4b8f9d4f435bd18985c220cd132d7505b234770a1f8eda9e77059884df65b24a955905506ae8
Malware Config
Extracted
Protocol: ftp- Host:
maaig.com - Port:
21 - Username:
[email protected] - Password:
E#T~&wyRgLDa
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
resource yara_rule behavioral2/memory/352-12-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral2/memory/352-13-0x0000000000481BCE-mapping.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation vessel details.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1304 set thread context of 352 1304 vessel details.exe 78 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 352 vessel details.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 352 vessel details.exe 352 vessel details.exe 352 vessel details.exe 352 vessel details.exe 3588 powershell.exe 3588 powershell.exe 3588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 352 vessel details.exe Token: SeDebugPrivilege 3588 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 352 vessel details.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1304 wrote to memory of 352 1304 vessel details.exe 78 PID 1304 wrote to memory of 352 1304 vessel details.exe 78 PID 1304 wrote to memory of 352 1304 vessel details.exe 78 PID 1304 wrote to memory of 352 1304 vessel details.exe 78 PID 1304 wrote to memory of 352 1304 vessel details.exe 78 PID 1304 wrote to memory of 352 1304 vessel details.exe 78 PID 1304 wrote to memory of 352 1304 vessel details.exe 78 PID 1304 wrote to memory of 352 1304 vessel details.exe 78 PID 352 wrote to memory of 3588 352 vessel details.exe 80 PID 352 wrote to memory of 3588 352 vessel details.exe 80 PID 352 wrote to memory of 3588 352 vessel details.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\vessel details.exe"C:\Users\Admin\AppData\Local\Temp\vessel details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\vessel details.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vessel details.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588
-
-