Analysis
-
max time kernel
61s -
max time network
18s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-12-2020 09:15
Static task
static1
Behavioral task
behavioral1
Sample
DHL_20201230,pdf.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL_20201230,pdf.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
DHL_20201230,pdf.exe
-
Size
1.1MB
-
MD5
14fe2d5d95ec2fe9d8610f5e16c88428
-
SHA1
97d20decb09787cbf557207a49b309b31429244c
-
SHA256
a9a4bd2de434ba7cb210b0e8bc7374db4c6df7e0e94dac78c67f3dc97ddadc4f
-
SHA512
50096d3b5c84cade3b070e649557313692bd4f89af08aba07582c2ecfb54d0f2da35b98f4ad3ca2c8c072a0cffde8c2ac991bad42e73422327946f617e2ee07b
Score
10/10
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1348-3-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1348-4-0x0000000000481D6E-mapping.dmp family_masslogger behavioral1/memory/1348-5-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1348-6-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_20201230,pdf.exedescription pid process target process PID 340 set thread context of 1348 340 DHL_20201230,pdf.exe MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL_20201230,pdf.exeMSBuild.exedescription pid process target process PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 340 wrote to memory of 1348 340 DHL_20201230,pdf.exe MSBuild.exe PID 1348 wrote to memory of 1564 1348 MSBuild.exe dw20.exe PID 1348 wrote to memory of 1564 1348 MSBuild.exe dw20.exe PID 1348 wrote to memory of 1564 1348 MSBuild.exe dw20.exe PID 1348 wrote to memory of 1564 1348 MSBuild.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_20201230,pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL_20201230,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3723⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1348-3-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1348-4-0x0000000000481D6E-mapping.dmp
-
memory/1348-5-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1348-6-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1564-7-0x0000000000000000-mapping.dmp
-
memory/1564-8-0x0000000002280000-0x0000000002291000-memory.dmpFilesize
68KB
-
memory/1564-9-0x0000000002380000-0x0000000002391000-memory.dmpFilesize
68KB