Malware Analysis Report

2025-04-14 05:16

Sample ID 210216-dpwaxefwvj
Target e45e5e69_extracted
SHA256 2d30797c2998eb1b5bdf78d44c3f3bc16d0a990a0e93a5c54656ac1bc4b63d9d
Tags
masslogger spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d30797c2998eb1b5bdf78d44c3f3bc16d0a990a0e93a5c54656ac1bc4b63d9d

Threat Level: Known bad

The file e45e5e69_extracted was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer upx

MassLogger

MassLogger log file

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-16 17:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-16 17:42

Reported

2021-02-16 17:57

Platform

win7v20201028

Max time kernel

19s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.76.253:80 api.ipify.org tcp
N/A 8.8.8.8:53 smtp.dachanq.cc udp
N/A 208.91.199.223:587 smtp.dachanq.cc tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp

Files

memory/1888-2-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/1888-3-0x0000000000C00000-0x0000000000C01000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll

MD5 e81aeac387c5db32b7f9b07d15e788e0
SHA1 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3
SHA256 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06
SHA512 cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

memory/1888-6-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/1888-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1888-8-0x0000000000A90000-0x0000000000ACE000-memory.dmp

memory/1888-9-0x0000000000380000-0x000000000040D000-memory.dmp

memory/1888-10-0x0000000004D90000-0x0000000004DE9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-16 17:42

Reported

2021-02-16 17:57

Platform

win10v20201028

Max time kernel

17s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\e45e5e69_extracted.exe"

Network

Country Destination Domain Proto
N/A 52.109.8.21:443 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.142.93:80 api.ipify.org tcp
N/A 8.8.8.8:53 smtp.dachanq.cc udp
N/A 208.91.199.223:587 smtp.dachanq.cc tcp

Files

memory/3108-2-0x00000000739A0000-0x000000007408E000-memory.dmp

memory/3108-3-0x0000000000310000-0x0000000000311000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll

MD5 e81aeac387c5db32b7f9b07d15e788e0
SHA1 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3
SHA256 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06
SHA512 cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

memory/3108-6-0x0000000004D00000-0x0000000004D01000-memory.dmp

memory/3108-7-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/3108-8-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/3108-9-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/3108-10-0x0000000005D60000-0x0000000005D61000-memory.dmp

memory/3108-11-0x00000000064C0000-0x00000000064C1000-memory.dmp

memory/3108-12-0x00000000072E0000-0x000000000731E000-memory.dmp

memory/3108-13-0x0000000008320000-0x0000000008321000-memory.dmp

memory/3108-14-0x000000000B0B0000-0x000000000B0B1000-memory.dmp

memory/3108-15-0x0000000007320000-0x00000000073AD000-memory.dmp

memory/3108-16-0x00000000073B0000-0x0000000007409000-memory.dmp

memory/3108-17-0x0000000007410000-0x0000000007411000-memory.dmp