Malware Analysis Report

2025-04-14 05:16

Sample ID 210216-spak6x7r2e
Target e265215c_extracted
SHA256 578c13d534658db7cce4d141ad565d677564490ad6c48df24c1a853dcf6ce02c
Tags
masslogger ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

578c13d534658db7cce4d141ad565d677564490ad6c48df24c1a853dcf6ce02c

Threat Level: Known bad

The file e265215c_extracted was found to be: Known bad.

Malicious Activity Summary

masslogger ransomware spyware stealer

MassLogger

MassLogger Main Payload

Masslogger family

MassLogger log file

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-02-16 17:42

Signatures

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

Analysis: behavioral1

Detonation Overview

Submitted

2021-02-16 17:42

Reported

2021-02-16 17:57

Platform

win7v20201028

Max time kernel

54s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.164.148:80 api.ipify.org tcp
N/A 8.8.8.8:53 us2.smtp.mailhostbox.com udp
N/A 208.91.198.143:587 us2.smtp.mailhostbox.com tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp

Files

memory/792-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/792-3-0x0000000000380000-0x0000000000381000-memory.dmp

memory/792-5-0x00000000045F0000-0x00000000045F1000-memory.dmp

memory/792-6-0x0000000000430000-0x0000000000431000-memory.dmp

memory/792-7-0x0000000004ED0000-0x0000000004F0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-02-16 17:42

Reported

2021-02-16 17:57

Platform

win10v20201028

Max time kernel

61s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe N/A

Reads user/profile data of web browsers

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe

"C:\Users\Admin\AppData\Local\Temp\e265215c_extracted.exe"

Network

Country Destination Domain Proto
N/A 52.109.8.19:443 tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.142.93:80 api.ipify.org tcp
N/A 8.8.8.8:53 us2.smtp.mailhostbox.com udp
N/A 208.91.199.225:587 us2.smtp.mailhostbox.com tcp

Files

memory/1908-2-0x0000000073920000-0x000000007400E000-memory.dmp

memory/1908-3-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/1908-5-0x00000000055B0000-0x00000000055B1000-memory.dmp

memory/1908-7-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/1908-6-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/1908-8-0x0000000005350000-0x0000000005351000-memory.dmp

memory/1908-9-0x0000000006160000-0x0000000006161000-memory.dmp

memory/1908-10-0x0000000006720000-0x0000000006721000-memory.dmp

memory/1908-11-0x0000000006970000-0x00000000069AE000-memory.dmp

memory/1908-12-0x0000000006A00000-0x0000000006A01000-memory.dmp

memory/1908-13-0x0000000006AF0000-0x0000000006AF1000-memory.dmp