Analysis
-
max time kernel
89s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:20
Static task
static1
Behavioral task
behavioral1
Sample
DHL_MAY_.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL_MAY_.exe
Resource
win10v2004-20220414-en
General
-
Target
DHL_MAY_.exe
-
Size
1MB
-
MD5
7f56bc3c202c7284b09d069b1fe4e0df
-
SHA1
5218641a49868df36c1ee409c22ce14e56b7dfb8
-
SHA256
15fca9cc94b9a0632fe98a3a15e0c75d1f3ff2ce42a47d7b9d76217ca4bfca05
-
SHA512
d0e7a060a67227891b54385432ae39f4572cb26e7c844b6d6222b7a454cbbeb9ab1013a157afaac605ea62b34b023e2d02b30eae9abea23b4b1ce2d7b46fedf2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 58 IoCs
Processes:
resource yara_rule behavioral1/memory/1824-54-0x0000000000080000-0x00000000001D4000-memory.dmp family_masslogger behavioral1/memory/1112-61-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-62-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-64-0x00000000004ABEAE-mapping.dmp family_masslogger behavioral1/memory/1112-66-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-65-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-70-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-73-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-75-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-76-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-77-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-79-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-78-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-74-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-80-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-82-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-81-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-84-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-83-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-85-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-87-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-86-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-88-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-90-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-89-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-91-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-93-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-92-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-95-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-94-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-96-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-98-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-99-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-100-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-97-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-102-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-101-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-103-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-104-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-106-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-105-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-108-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-107-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-110-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-109-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-112-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-113-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-111-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-115-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-114-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-117-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-116-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-118-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-120-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-119-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-121-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-122-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger behavioral1/memory/1112-123-0x00000000001E0000-0x0000000000290000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHL_MAY_.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation DHL_MAY_.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1824-55-0x00000000003C0000-0x00000000003D4000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_MAY_.exedescription pid process target process PID 1824 set thread context of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DHL_MAY_.exeDHL_MAY_.exepid process 1824 DHL_MAY_.exe 1824 DHL_MAY_.exe 1824 DHL_MAY_.exe 1112 DHL_MAY_.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL_MAY_.exeDHL_MAY_.exedescription pid process Token: SeDebugPrivilege 1824 DHL_MAY_.exe Token: SeDebugPrivilege 1112 DHL_MAY_.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
DHL_MAY_.exedescription pid process target process PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe PID 1824 wrote to memory of 1112 1824 DHL_MAY_.exe DHL_MAY_.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe"C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe"C:\Users\Admin\AppData\Local\Temp\DHL_MAY_.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-58-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-59-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-61-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-62-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-64-0x00000000004ABEAE-mapping.dmp
-
memory/1112-66-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-65-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-70-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-73-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-75-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-76-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-77-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-79-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-78-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-74-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-80-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-82-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-81-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-84-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-83-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-85-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-87-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-86-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-88-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-90-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-89-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-91-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-93-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-92-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-95-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-94-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-96-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-98-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-99-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-100-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-97-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-102-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-101-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-103-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-104-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-106-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-105-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-108-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-107-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-110-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-109-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-112-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-113-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-111-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-115-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-114-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-117-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-116-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-118-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-120-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-119-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-121-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-122-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-123-0x00000000001E0000-0x0000000000290000-memory.dmpFilesize
704KB
-
memory/1112-328-0x0000000000750000-0x0000000000794000-memory.dmpFilesize
272KB
-
memory/1112-330-0x00000000020B5000-0x00000000020C6000-memory.dmpFilesize
68KB
-
memory/1824-54-0x0000000000080000-0x00000000001D4000-memory.dmpFilesize
1MB
-
memory/1824-55-0x00000000003C0000-0x00000000003D4000-memory.dmpFilesize
80KB
-
memory/1824-56-0x0000000000420000-0x0000000000428000-memory.dmpFilesize
32KB
-
memory/1824-57-0x0000000000550000-0x0000000000558000-memory.dmpFilesize
32KB