Analysis
-
max time kernel
130s -
max time network
153s -
platform
windows7_x64 -
resource
win7 -
submitted
16-06-2020 20:51
Static task
static1
Behavioral task
behavioral1
Sample
B3gkHhPlWv3DOsB.exe
Resource
win7
Behavioral task
behavioral2
Sample
B3gkHhPlWv3DOsB.exe
Resource
win10v200430
General
-
Target
B3gkHhPlWv3DOsB.exe
-
Size
845KB
-
MD5
35a5963bfb1fa8b5e3851378959ac522
-
SHA1
b1c035b8221c06e14311eda738df7e28a6559514
-
SHA256
77b7fa89c446b127b0c1d8ad0c5dc5fb57c8121dd3c40a67b77e5c0a35d75114
-
SHA512
851bd78e047d34a27f532e808bbe6e27cc9b7e09a39bd26ed69b121f9b377a85a381e50f73d8b1775987d7582300b963cf7be119e9cb7334d490d21dacdddd80
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\E2C1E8F1FA\Log.txt
masslogger
Signatures
-
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 900 wrote to memory of 1868 900 B3gkHhPlWv3DOsB.exe 26 PID 900 wrote to memory of 1868 900 B3gkHhPlWv3DOsB.exe 26 PID 900 wrote to memory of 1868 900 B3gkHhPlWv3DOsB.exe 26 PID 900 wrote to memory of 1868 900 B3gkHhPlWv3DOsB.exe 26 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 PID 900 wrote to memory of 1384 900 B3gkHhPlWv3DOsB.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1384 B3gkHhPlWv3DOsB.exe 1384 B3gkHhPlWv3DOsB.exe -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
yara_rule masslogger_log_file -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1384 B3gkHhPlWv3DOsB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 900 set thread context of 1384 900 B3gkHhPlWv3DOsB.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1384 B3gkHhPlWv3DOsB.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1384 B3gkHhPlWv3DOsB.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1868 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe"C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cExnKKQoq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp730.tmp"2⤵
- Creates scheduled task(s)
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\B3gkHhPlWv3DOsB.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: AddClipboardFormatListener
PID:1384
-