Malware Analysis Report

2025-04-14 05:12

Sample ID 210111-hkxt4ldy4n
Target DHL_Dec 2021 at 8.N_91B7290_PDF.exe
SHA256 6b35792d37ac6bb94a74d471840852812de8b2b67f09f3cb32e2a0e6d4d699e3
Tags
masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b35792d37ac6bb94a74d471840852812de8b2b67f09f3cb32e2a0e6d4d699e3

Threat Level: Known bad

The file DHL_Dec 2021 at 8.N_91B7290_PDF.exe was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer

MassLogger

MassLogger Main Payload

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-01-11 12:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-01-11 12:08

Reported

2021-01-11 12:10

Platform

win7v20201028

Max time kernel

16s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1824 set thread context of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe
PID 1824 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.142.93:80 api.ipify.org tcp

Files

memory/1824-2-0x0000000073980000-0x000000007406E000-memory.dmp

memory/1824-3-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/1824-5-0x0000000004D10000-0x0000000004DBE000-memory.dmp

memory/1824-6-0x0000000000420000-0x000000000042F000-memory.dmp

memory/1332-7-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1332-8-0x0000000000481E9E-mapping.dmp

memory/1332-9-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1332-10-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1332-11-0x0000000073980000-0x000000007406E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-01-11 12:08

Reported

2021-01-11 12:10

Platform

win10v20201028

Max time kernel

16s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 644 set thread context of 2924 N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\DHL_Dec 2021 at 8.N_91B7290_PDF.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.142.93:80 api.ipify.org tcp

Files

memory/644-2-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/644-3-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/644-5-0x0000000005980000-0x0000000005981000-memory.dmp

memory/644-6-0x0000000005480000-0x0000000005481000-memory.dmp

memory/644-7-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/644-8-0x0000000008990000-0x0000000008A3E000-memory.dmp

memory/644-9-0x0000000008A40000-0x0000000008A41000-memory.dmp

memory/644-10-0x0000000008E30000-0x0000000008E31000-memory.dmp

memory/644-11-0x0000000005970000-0x000000000597F000-memory.dmp

memory/2924-12-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2924-13-0x0000000000481E9E-mapping.dmp

memory/2924-14-0x0000000073F80000-0x000000007466E000-memory.dmp

memory/2924-19-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

memory/2924-20-0x00000000068E0000-0x00000000068E1000-memory.dmp