Analysis

  • max time kernel
    102s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/07/2025, 07:06

General

  • Target

    SHIPPING DOCS.exe

  • Size

    1.0MB

  • MD5

    1d19cd6bf6edec5ef5a1c1cc4f89585f

  • SHA1

    6d4237f6f919d9b3b91e849f100bd380a32482b9

  • SHA256

    d2edbdbb3b80768af3e1b625452dcfb6932d70fedf14df8fe8c4c0ccbbc323f5

  • SHA512

    0df5635a806c21b53df8db2904b772c219a6741ad2b5a7166d807b4dfba70003e316400a8522b6b676488016ee42e2c6e382e1b033113e3aac285abf10fb2140

  • SSDEEP

    24576:z5EmXFtKaL4/oFe5T9yyXYfP1ijXdaHfUsdvODn6A:zPVt/LZeJbInQRaHnN

Malware Config

Extracted

Family

masslogger

C2

https://api.telegram.org/bot7734028043:AAFIeCvMZ4kzPCyRJpN0A6Vnw5IFE1hKcXw/sendMessage?chat_id=7758782479

Attributes
  • exfiltration_mode

    #TGEnabled

  • expire_time_date

    2025-06-14

  • ssl_slate

    False

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • Masslogger family
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe
    "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:228

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/228-7-0x00000000003D0000-0x00000000003EE000-memory.dmp

          Filesize

          120KB

        • memory/228-8-0x0000000005350000-0x00000000058F6000-memory.dmp

          Filesize

          5.6MB

        • memory/228-9-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

          Filesize

          624KB

        • memory/228-10-0x0000000004E50000-0x0000000004E60000-memory.dmp

          Filesize

          64KB

        • memory/228-11-0x0000000005DE0000-0x0000000005E72000-memory.dmp

          Filesize

          584KB

        • memory/228-12-0x0000000005D90000-0x0000000005DE0000-memory.dmp

          Filesize

          320KB

        • memory/228-13-0x0000000006150000-0x0000000006312000-memory.dmp

          Filesize

          1.8MB

        • memory/228-14-0x0000000006080000-0x000000000608A000-memory.dmp

          Filesize

          40KB

        • memory/228-15-0x0000000004E50000-0x0000000004E60000-memory.dmp

          Filesize

          64KB

        • memory/3832-6-0x00000000014F0000-0x00000000018F0000-memory.dmp

          Filesize

          4.0MB