Overview

overview

10

Static

static

DHL_Januar...DF.exe

windows7_x64

10

DHL_Januar...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL_January 2021 at 28M_9B7290_PDF.exe

  • Size

    727KB

  • MD5

    c13081675ef4f1fea467c18c31bf2492

  • SHA1

    6683c8d513c50cbe2a5999a4a5c31c4a90aeb01d

  • SHA256

    2d9b9f417d914d2b6f3bc2eefbe9b82ec3eacd8077f2ad4a1a05f393f8584bc8

  • SHA512

    76da00c45c88387f03eb727ad5ff948b39029a1c19d2f13070f08de94b9ec6084dea683b6345a2116c9a3b201f8d7ccd826c4343dcf5f04268ebc889981847a7

Score
10/10
massloggerspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\SecEdit.exe
      "C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
      2⤵
        PID:1100
      • C:\Windows\SysWOW64\SecEdit.exe
        "C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
        2⤵
          PID:268
        • C:\Windows\SysWOW64\SecEdit.exe
          "C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
          2⤵
            PID:1176
          • C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe
            "C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"
            2⤵
              PID:1132
            • C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe
              "C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"
              2⤵
              • Checks computer location settings
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:524

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\UserRights.cfg
            MD5

            d353be64a3ac409d9531ec6311a55140

            SHA1

            8d0d07175aa4560ff251ab2d7994d5442233bc17

            SHA256

            487b44f8208125557ce533248c164f54112816af448902bc217785eaa958c84d

            SHA512

            4f65c265df334d7a0e8e434bd012c41409fff9858b1a4a6cd56c8d1fca50ad3f221baef74c07d6d76145fb1fb2deeb8b9011025b7b7ffa4960d7ff98c5ab0e4b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\UserRights.cfg
            MD5

            dfd012ea179d6ffc84c07b5f3c19f7fd

            SHA1

            b5e4e2430f451f009f5391e6eac79b4bd5780934

            SHA256

            152f7b1f3be110b828bf30d46d8951bd54c169b7e4115b0bde2d3afb48dcc7bf

            SHA512

            746fbae6a07ce43aba5cd0afb8b0c577aec12fdfc35db477a805f1ddcfa3d67716d30f368d8b6cecdc8263878cc19a4a86e27c94c635234b0a2f45b83327a24f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\UserRights.log
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\UserRights.log
            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            Download Submit
          • memory/268-6-0x0000000000000000-mapping.dmp
            Download
          • memory/524-14-0x0000000000400000-0x0000000000486000-memory.dmp
            Filesize

            536KB

            Download
          • memory/524-15-0x0000000000481E9E-mapping.dmp
            Download
          • memory/524-16-0x0000000000400000-0x0000000000486000-memory.dmp
            Filesize

            536KB

            Download
          • memory/524-17-0x0000000000400000-0x0000000000486000-memory.dmp
            Filesize

            536KB

            Download
          • memory/524-18-0x0000000074CF0000-0x00000000753DE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1080-12-0x0000000008090000-0x000000000813E000-memory.dmp
            Filesize

            696KB

            Download
          • memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1080-13-0x0000000002130000-0x000000000213F000-memory.dmp
            Filesize

            60KB

            Download
          • memory/1080-3-0x0000000000910000-0x0000000000911000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1100-5-0x0000000000000000-mapping.dmp
            Download
          • memory/1176-9-0x0000000000000000-mapping.dmp
            Download