Analysis
-
max time kernel
102s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/07/2025, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCS.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
SHIPPING DOCS.exe
Resource
win11-20250619-en
General
-
Target
SHIPPING DOCS.exe
-
Size
1.0MB
-
MD5
1d19cd6bf6edec5ef5a1c1cc4f89585f
-
SHA1
6d4237f6f919d9b3b91e849f100bd380a32482b9
-
SHA256
d2edbdbb3b80768af3e1b625452dcfb6932d70fedf14df8fe8c4c0ccbbc323f5
-
SHA512
0df5635a806c21b53df8db2904b772c219a6741ad2b5a7166d807b4dfba70003e316400a8522b6b676488016ee42e2c6e382e1b033113e3aac285abf10fb2140
-
SSDEEP
24576:z5EmXFtKaL4/oFe5T9yyXYfP1ijXdaHfUsdvODn6A:zPVt/LZeJbInQRaHnN
Malware Config
Extracted
masslogger
https://api.telegram.org/bot7734028043:AAFIeCvMZ4kzPCyRJpN0A6Vnw5IFE1hKcXw/sendMessage?chat_id=7758782479
-
exfiltration_mode
#TGEnabled
-
expire_time_date
2025-06-14
-
ssl_slate
False
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Masslogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3972667009-3658015838-2693993929-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3972667009-3658015838-2693993929-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3972667009-3658015838-2693993929-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 checkip.dyndns.org 1 reallyfreegeoip.org 3 reallyfreegeoip.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3832-6-0x00000000014F0000-0x00000000018F0000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3832 set thread context of 228 3832 SHIPPING DOCS.exe 78 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SHIPPING DOCS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3832 SHIPPING DOCS.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 228 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3832 SHIPPING DOCS.exe 3832 SHIPPING DOCS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 228 RegSvcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3832 wrote to memory of 228 3832 SHIPPING DOCS.exe 78 PID 3832 wrote to memory of 228 3832 SHIPPING DOCS.exe 78 PID 3832 wrote to memory of 228 3832 SHIPPING DOCS.exe 78 PID 3832 wrote to memory of 228 3832 SHIPPING DOCS.exe 78 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3972667009-3658015838-2693993929-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3972667009-3658015838-2693993929-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:228
-