Overview

overview

10

Static

static

DHL_20201230,pdf.exe

windows7_x64

10

DHL_20201230,pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    70s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    30-12-2020 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL_20201230,pdf.exe

  • Size

    1.1MB

  • MD5

    14fe2d5d95ec2fe9d8610f5e16c88428

  • SHA1

    97d20decb09787cbf557207a49b309b31429244c

  • SHA256

    a9a4bd2de434ba7cb210b0e8bc7374db4c6df7e0e94dac78c67f3dc97ddadc4f

  • SHA512

    50096d3b5c84cade3b070e649557313692bd4f89af08aba07582c2ecfb54d0f2da35b98f4ad3ca2c8c072a0cffde8c2ac991bad42e73422327946f617e2ee07b

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL_20201230,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL_20201230,pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 680
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2412-5-0x0000000000400000-0x0000000000486000-memory.dmp
    Filesize

    536KB

    Download
  • memory/2412-6-0x0000000000481D6E-mapping.dmp
    Download
  • memory/2412-11-0x0000000000481D6E-mapping.dmp
    Download
  • memory/2412-10-0x0000000000481D6E-mapping.dmp
    Download
  • memory/2412-12-0x0000000000481D6E-mapping.dmp
    Download
  • memory/2412-13-0x0000000000481D6E-mapping.dmp
    Download
  • memory/2412-14-0x0000000000481D6E-mapping.dmp
    Download
  • memory/3584-7-0x0000000000000000-mapping.dmp
    Download
  • memory/3584-8-0x00000000025F0000-0x00000000025F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3584-9-0x0000000002960000-0x0000000002961000-memory.dmp
    Filesize

    4KB

    Download