Analysis
-
max time kernel
59s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02/12/2020, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
Vessel Details.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Vessel Details.exe
Resource
win10v20201028
General
-
Target
Vessel Details.exe
-
Size
1.0MB
-
MD5
c937e1944545e46b2f249badce1502e5
-
SHA1
869346420d996877d43d8b316e5d20daf90e2c75
-
SHA256
2c0c11555412e75e830be16688aba26096a7110a3befefb865ddf5410a89a297
-
SHA512
4001dbfd7f5437133ef17dc044ffbcf68a2faf857d69aed2b17f9ef2bcb046a897e0b0139e1fc97711139711deea7f5e6d4022adc595a0a3814f6705c5605d89
Malware Config
Extracted
Protocol: ftp- Host:
maaig.com - Port:
21 - Username:
[email protected] - Password:
E#T~&wyRgLDa
Extracted
Protocol: smtp- Host:
mail.vitracer.com - Port:
587 - Username:
[email protected] - Password:
vm85932754
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
resource yara_rule behavioral2/memory/1872-12-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral2/memory/1872-13-0x0000000000481BCE-mapping.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation Vessel Details.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 1872 4076 Vessel Details.exe 78 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1872 Vessel Details.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1872 Vessel Details.exe 1872 Vessel Details.exe 1872 Vessel Details.exe 1872 Vessel Details.exe 2672 powershell.exe 2672 powershell.exe 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1872 Vessel Details.exe Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1872 Vessel Details.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4076 wrote to memory of 1872 4076 Vessel Details.exe 78 PID 4076 wrote to memory of 1872 4076 Vessel Details.exe 78 PID 4076 wrote to memory of 1872 4076 Vessel Details.exe 78 PID 4076 wrote to memory of 1872 4076 Vessel Details.exe 78 PID 4076 wrote to memory of 1872 4076 Vessel Details.exe 78 PID 4076 wrote to memory of 1872 4076 Vessel Details.exe 78 PID 4076 wrote to memory of 1872 4076 Vessel Details.exe 78 PID 4076 wrote to memory of 1872 4076 Vessel Details.exe 78 PID 1872 wrote to memory of 2672 1872 Vessel Details.exe 80 PID 1872 wrote to memory of 2672 1872 Vessel Details.exe 80 PID 1872 wrote to memory of 2672 1872 Vessel Details.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vessel Details.exe"C:\Users\Admin\AppData\Local\Temp\Vessel Details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\Vessel Details.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Vessel Details.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-