Malware Analysis Report

2025-04-14 05:16

Sample ID 210216-k15jssayfx
Target 43d334c1_extracted
SHA256 cecdd448e827e1b016d186e420c1d53c35541fff488ea1211cc2e8b76dc9e38f
Tags
masslogger spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cecdd448e827e1b016d186e420c1d53c35541fff488ea1211cc2e8b76dc9e38f

Threat Level: Known bad

The file 43d334c1_extracted was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer upx

MassLogger

MassLogger log file

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-16 17:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-16 17:41

Reported

2021-02-16 17:54

Platform

win10v20201028

Max time kernel

46s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe"

Network

Country Destination Domain Proto
N/A 52.114.133.61:443 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.129.141:80 api.ipify.org tcp
N/A 8.8.8.8:53 microtelculiacan.com.mx udp
N/A 162.214.94.194:587 microtelculiacan.com.mx tcp

Files

memory/492-2-0x0000000073310000-0x00000000739FE000-memory.dmp

memory/492-3-0x0000000000B50000-0x0000000000B51000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll

MD5 e81aeac387c5db32b7f9b07d15e788e0
SHA1 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3
SHA256 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06
SHA512 cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

memory/492-6-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

memory/492-7-0x00000000055D0000-0x00000000055D1000-memory.dmp

memory/492-8-0x0000000005400000-0x0000000005401000-memory.dmp

memory/492-9-0x0000000005680000-0x0000000005681000-memory.dmp

memory/492-10-0x00000000066D0000-0x00000000066D1000-memory.dmp

memory/492-11-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

memory/492-12-0x0000000007AA0000-0x0000000007ADE000-memory.dmp

memory/492-13-0x0000000007B40000-0x0000000007B41000-memory.dmp

memory/492-14-0x0000000007B90000-0x0000000007B91000-memory.dmp

memory/492-15-0x0000000007EE0000-0x0000000007F6D000-memory.dmp

memory/492-16-0x0000000007F70000-0x0000000007FC9000-memory.dmp

memory/492-17-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-16 17:41

Reported

2021-02-16 17:54

Platform

win7v20201028

Max time kernel

48s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\43d334c1_extracted.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.129.141:80 api.ipify.org tcp
N/A 8.8.8.8:53 microtelculiacan.com.mx udp
N/A 162.214.94.194:587 microtelculiacan.com.mx tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp

Files

memory/1852-2-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/1852-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\8E3603ED8A0381E02887C1DBBE921340\32\sqlite.interop.dll

MD5 e81aeac387c5db32b7f9b07d15e788e0
SHA1 829be6eaf1cb0d82b2ddfc98272e1087f4a7a7c3
SHA256 44f31f99f048bfc5195937353b5207332e455bcd5a722bcfd32cacfd93f60f06
SHA512 cc6a96325a01c50c059706a1f4156f109e502ef9c0b0f5de209d1f52e7cc973cebc027f57ed988e9d1b8fca62746b60ee7430d608de95cdd0e5ac3cb61fbe32e

memory/1852-6-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/1852-7-0x0000000000450000-0x0000000000451000-memory.dmp

memory/1852-8-0x00000000022B0000-0x00000000022EE000-memory.dmp

memory/1852-9-0x00000000054D0000-0x000000000555D000-memory.dmp

memory/1852-10-0x0000000005B70000-0x0000000005BC9000-memory.dmp