Analysis
-
max time kernel
58s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02/12/2020, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
Vessel Details.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Vessel Details.exe
Resource
win10v20201028
General
-
Target
Vessel Details.exe
-
Size
1.0MB
-
MD5
c937e1944545e46b2f249badce1502e5
-
SHA1
869346420d996877d43d8b316e5d20daf90e2c75
-
SHA256
2c0c11555412e75e830be16688aba26096a7110a3befefb865ddf5410a89a297
-
SHA512
4001dbfd7f5437133ef17dc044ffbcf68a2faf857d69aed2b17f9ef2bcb046a897e0b0139e1fc97711139711deea7f5e6d4022adc595a0a3814f6705c5605d89
Malware Config
Extracted
Protocol: ftp- Host:
maaig.com - Port:
21 - Username:
[email protected] - Password:
E#T~&wyRgLDa
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 2 IoCs
resource yara_rule behavioral2/memory/2788-12-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral2/memory/2788-13-0x0000000000481BCE-mapping.dmp family_masslogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation Vessel Details.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1028 set thread context of 2788 1028 Vessel Details.exe 79 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2788 Vessel Details.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2788 Vessel Details.exe 2788 Vessel Details.exe 2788 Vessel Details.exe 2788 Vessel Details.exe 3444 powershell.exe 3444 powershell.exe 3444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2788 Vessel Details.exe Token: SeDebugPrivilege 3444 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2788 Vessel Details.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1028 wrote to memory of 2788 1028 Vessel Details.exe 79 PID 1028 wrote to memory of 2788 1028 Vessel Details.exe 79 PID 1028 wrote to memory of 2788 1028 Vessel Details.exe 79 PID 1028 wrote to memory of 2788 1028 Vessel Details.exe 79 PID 1028 wrote to memory of 2788 1028 Vessel Details.exe 79 PID 1028 wrote to memory of 2788 1028 Vessel Details.exe 79 PID 1028 wrote to memory of 2788 1028 Vessel Details.exe 79 PID 1028 wrote to memory of 2788 1028 Vessel Details.exe 79 PID 2788 wrote to memory of 3444 2788 Vessel Details.exe 81 PID 2788 wrote to memory of 3444 2788 Vessel Details.exe 81 PID 2788 wrote to memory of 3444 2788 Vessel Details.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vessel Details.exe"C:\Users\Admin\AppData\Local\Temp\Vessel Details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\Vessel Details.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Vessel Details.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-