Malware Analysis Report

2025-04-14 05:12

Sample ID 210216-j6ka8gsbcs
Target 3f39da1d_extracted
SHA256 d73a8914369631978fc02cc99a735298589a6ce95979176382caf8be4753c84e
Tags
masslogger ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d73a8914369631978fc02cc99a735298589a6ce95979176382caf8be4753c84e

Threat Level: Known bad

The file 3f39da1d_extracted was found to be: Known bad.

Malicious Activity Summary

masslogger ransomware spyware stealer

MassLogger log file

MassLogger

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-16 17:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-16 17:42

Reported

2021-02-16 17:59

Platform

win7v20201028

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1060 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1060 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1060 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1884 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1884 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1884 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1884 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1884 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1884 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1884 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1884 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCEB4.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.220.115:80 api.ipify.org tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.189.250:80 api.ipify.org tcp
N/A 8.8.8.8:53 mail.privateemail.com udp
N/A 198.54.122.60:587 mail.privateemail.com tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp

Files

memory/1864-2-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/1864-3-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1864-5-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1864-6-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1060-7-0x0000000000000000-mapping.dmp

memory/1884-8-0x0000000000000000-mapping.dmp

memory/428-9-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCEB4.tmp.bat

MD5 33570c0b86f7c5863afa7aef5e122b14
SHA1 5214d0211fff38216c78619980cb794bdb4b60ca
SHA256 8dc5a4acef3243bd418a0cbe7985ce452d15829f99f178a9f4233cfda82144ee
SHA512 0a1f6ab5982fa0115b871614b29d702e655c306dc71cd9c5d78bdbabf8b9d78ea918ed346dcf992926adebf401369127002d390b0fcf49e3e6ebf17314e4e09f

memory/544-11-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 fd4543e3f35c11ef0d889c228beacd23
SHA1 cbb7819178024077e13765a5a0e7b87bba39c312
SHA256 d73a8914369631978fc02cc99a735298589a6ce95979176382caf8be4753c84e
SHA512 b2312b9ae4ec26bf43047cb9aa1fc82f89ef03e4ed6a3d9aeead859eb89137545a20321adb3005314fec4c3b6c4ba1b7db40283c8d4ec2ad9fb57b4900915b87

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 fd4543e3f35c11ef0d889c228beacd23
SHA1 cbb7819178024077e13765a5a0e7b87bba39c312
SHA256 d73a8914369631978fc02cc99a735298589a6ce95979176382caf8be4753c84e
SHA512 b2312b9ae4ec26bf43047cb9aa1fc82f89ef03e4ed6a3d9aeead859eb89137545a20321adb3005314fec4c3b6c4ba1b7db40283c8d4ec2ad9fb57b4900915b87

memory/684-14-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 fd4543e3f35c11ef0d889c228beacd23
SHA1 cbb7819178024077e13765a5a0e7b87bba39c312
SHA256 d73a8914369631978fc02cc99a735298589a6ce95979176382caf8be4753c84e
SHA512 b2312b9ae4ec26bf43047cb9aa1fc82f89ef03e4ed6a3d9aeead859eb89137545a20321adb3005314fec4c3b6c4ba1b7db40283c8d4ec2ad9fb57b4900915b87

memory/684-16-0x0000000074350000-0x0000000074A3E000-memory.dmp

memory/684-17-0x0000000000980000-0x0000000000981000-memory.dmp

memory/684-19-0x00000000041D0000-0x00000000041D1000-memory.dmp

memory/684-20-0x0000000000500000-0x0000000000501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60F5850B53\Log.txt

MD5 aafc0b87394e03494afa6b9d68a21fff
SHA1 03f03c06fa96564a74b6d4f0be73dbf192896a19
SHA256 f3661f114a4d45b30a67f39b5de233d9159afc6e02b3411128b9324fe5b86046
SHA512 172b8f510e622fad1fa6284ed755bbbac4c1cbe777f5dd1ad39b764d4057a08dae261d6d41327af119f9505d703d9d201ce9b4fb730d3de2e4b8bbb4aed5a221

memory/684-22-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-16 17:42

Reported

2021-02-16 17:59

Platform

win10v20201028

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2784 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2784 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2272 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 2784 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 2784 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\3f39da1d_extracted.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9909.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.140.41:80 api.ipify.org tcp

Files

memory/1148-2-0x0000000073450000-0x0000000073B3E000-memory.dmp

memory/1148-3-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/1148-6-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/1148-5-0x0000000005560000-0x0000000005561000-memory.dmp

memory/1148-7-0x0000000005610000-0x0000000005611000-memory.dmp

memory/1148-8-0x0000000005F10000-0x0000000005F11000-memory.dmp

memory/1148-9-0x0000000006580000-0x0000000006581000-memory.dmp

memory/2272-10-0x0000000000000000-mapping.dmp

memory/2784-11-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9909.tmp.bat

MD5 55ff9a7142c74a67b065cbc37e0a1a20
SHA1 4b1c19793d65866d05be7261b51668074141019b
SHA256 37fa9e2540d1ddf2a4b004469016a857706df14cf8136c065fce510edfa0ed06
SHA512 78c226897f48c28b0524f201fd68f6176246ad6e05247577bd3a217701a8bb8a3eccad64f1a412830aeec88293b347f880122af1edfac21eeee5d25addf5c217

memory/1316-13-0x0000000000000000-mapping.dmp

memory/640-14-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 fd4543e3f35c11ef0d889c228beacd23
SHA1 cbb7819178024077e13765a5a0e7b87bba39c312
SHA256 d73a8914369631978fc02cc99a735298589a6ce95979176382caf8be4753c84e
SHA512 b2312b9ae4ec26bf43047cb9aa1fc82f89ef03e4ed6a3d9aeead859eb89137545a20321adb3005314fec4c3b6c4ba1b7db40283c8d4ec2ad9fb57b4900915b87

memory/1860-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 fd4543e3f35c11ef0d889c228beacd23
SHA1 cbb7819178024077e13765a5a0e7b87bba39c312
SHA256 d73a8914369631978fc02cc99a735298589a6ce95979176382caf8be4753c84e
SHA512 b2312b9ae4ec26bf43047cb9aa1fc82f89ef03e4ed6a3d9aeead859eb89137545a20321adb3005314fec4c3b6c4ba1b7db40283c8d4ec2ad9fb57b4900915b87

memory/1860-18-0x0000000073450000-0x0000000073B3E000-memory.dmp

memory/1860-21-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

memory/1860-22-0x00000000027D0000-0x00000000027D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\109933CE9F\Log.txt

MD5 2942b572b4038e2cfc80fe66e769ca7e
SHA1 9bb0c0552fda51aff771bfaf6b58af037d880ba2
SHA256 8061a015e0523c0c24f0769ae5810aa8c47d2d403babb7f76b4b2c16c5723f8f
SHA512 3253a53bf031bc4085c95ecf8cf15c187b664c9d0d4300df818419de1c4e937a39e325967a0724902be2e8d0d794bb7b2f5d73e2acb6c4ba9383d03e1936a2eb