{"id":21964,"date":"2024-05-29T14:34:04","date_gmt":"2024-05-29T14:34:04","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=21964"},"modified":"2024-05-30T16:56:32","modified_gmt":"2024-05-30T16:56:32","slug":"trojan-win32-mamson-aac","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/trojan-win32-mamson-aac\/","title":{"rendered":"Trojan:Win32\/Mamson.A!ac"},"content":{"rendered":"
Trojan:Win32\/Mamson.A!ac<\/strong> is a type of malware designed to gather data from the system it infects. Sometimes, known spyware families get this detection. The malware is typically distributed disguised as helpful utilities that are downloaded from untrustworthy sources.<\/h5>\n

Trojan:Win32\/Mamson.A!ac Overview<\/h2>\n

Trojan:Win32\/Mamson.A!ac is a Microsoft Defender detection that flags infostealer malware<\/strong>. This type of malicious program aims at collecting data from the infected system. Usually, it gathers login credentials from browser files, cookies, browser history, and other information about the victim’s Internet activity. In some cases, samples of RedLine Stealer<\/a> appear under this detection. Still, the effect is exactly the same.<\/p>\n

\"Trojan:Win32\/Mamson.A!ac
Trojan:Win32\/Mamson.A!ac detection<\/figcaption><\/figure>\n

Mamson Trojan often spreads under the guise of helpful utilities downloaded from shady websites<\/a>, including These places have ideal conditions for malware distribution, as most hacked software requires mandatory disabling of antivirus software<\/strong> during installation. In certain cases, it may hide in the installer.<\/p>\n

Technical Analysis<\/h2>\n

Let’s analyze Trojan:Win32\/Mamson.A!ac by tearing down one of its samples<\/a>. Since this detection is generic, there could be rather wild variations in certain areas, but the \u201cmainstream\u201d functionality remains the same.<\/p>\n

Once Mamson enters the system, it checks for the virtual environment, debugging, or sandboxing. For this, It checks the following values in the registry:<\/p>\n

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\/Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0
\nHKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Display<\/code><\/p>\n

These keys keep info about the OS version, language packs, and display settings. Such data is useful both for fingerprinting and to determine whether the environment has anything synthetic about it.<\/p>\n

Privilege Escalation<\/h3>\n

After the first steps, the malware escalates privileges, which gives it a foothold in the system. To begin with, it manipulates the Windows Error Reporting system to legitimize itself.<\/p>\n

%windir%\\system32\\wbem\\wmiprvse.exe
\n%windir%\\System32\\svchost.exe -k WerSvcGroup
\n%windir%\\system32\\WerFault.exe -u -p 2660 -s 684<\/code><\/p>\n

Further, it creates its own service, by executing a command to the Service Control Manager. This makes Mamson much harder to remove manually, as services protect its underlying files. Attempting to remove it anyways after such a trick will likely result in BSOD, unless the antimalware software is used.<\/p>\n

C:\\Windows\\system32\\sc.exe start w32time task_started<\/code><\/p>\n

Defence Evasion<\/h3>\n

To avoid detection, Mamson comes in a packed (encrypted) form that allows it to avoid static detection. In order to legitimize itself, the malware plays with registry keys of Identity Client Runtime Library (IdentityCRL). Some of the values are also used to keep malware configurations.<\/p>\n

HKEY_CURRENT_USER\\Software\\Microsoft\\IdentityCRL\\Immersive\\production\\Property\\001880060ADF5C62
\nHKEY_CURRENT_USER\\Software\\Microsoft\\IdentityCRL\\Immersive\\production\\Property\\00188006102E98CE<\/code><\/p>\n

To cover the tracks, this malware also manipulates the logs of Windows Error Reporting system<\/a>. It edits out lines of the logs that contain the information about the WerFault interactions that I\u2019ve mentioned above.<\/p>\n

C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_executable.exe_515752de8867334bf1b5dff986a385cbabdecb_6ccb0f67_0f5f9b13
\nC:\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\AppCrash_executable.exe_515752de8867334bf1b5dff986a385cbabdecb_6ccb0f67_0f5f9b13\\Report.wer
\nC:\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\WER1FF4.tmp.dmp<\/code><\/p>\n

Data Collection<\/h3>\n

Mamson infostealer has primary goal is to collect sensitive information. Upon finishing preparations, the malware starts with creating a folder at C:\\Users\\[USER]\/Downloads\\cp<\/strong> and copying data from C:\\Users\\[USER]\\AppData\\Google\\Chrome\\User Data\\Default\\Login Data<\/strong>. That folder keeps a wide range of information about user\u2019s credentials and session tokens. It also collects the following data:<\/p>\n

C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_cbbb49d6-b7ff-44ca-aba5-8a5e250d4d42
\nC:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\User\\c74ecc55-989d-484d-a8fe-47bdfda57159
\nC:\\Windows\/System32\\spp\/store\\2.0\\cache\\cache.dat.<\/code><\/p>\n

Additionally, Mamson accesses cryptocurrency apps and wallets<\/a> in order to harvest credentials. I did not have a spare crypto wallet to sacrifice for the test, so there were no corresponding logs. Once the data collection is complete, the malware sends it to one of the command servers. Their IP addresses are built into the malware sample:<\/p>\n

23.216.147.76:443
\n23.216.147.64:443
\n104.86.182.8:443<\/code><\/p>\n

How To Remove Trojan:Win32\/Mamson.A!ac?<\/h2>\n

To remove Trojan:Win32\/Mamson.A!ac you will need a scan with GridinSoft Anti-Malware<\/strong>. Since the malware primarily targets Windows’ built-in defenses, they may be disabled or not working correctly. With GridinSoft Anti-Malware, you will be sure that the malware is completely gone. Run a Full scan to check the entire system and remove even the most covert threats.<\/p>\n

\"Trojan:Win32\/Mamson.A!ac\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Trojan:Win32\/Mamson.A!ac is a type of malware designed to gather data from the system it infects. Sometimes, known spyware families get this detection. The malware is typically distributed disguised as helpful utilities that are downloaded from untrustworthy sources. Trojan:Win32\/Mamson.A!ac Overview Trojan:Win32\/Mamson.A!ac is a Microsoft Defender detection that flags infostealer malware. This type of malicious program aims […]<\/p>\n","protected":false},"author":7,"featured_media":21984,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[1360,24,223],"class_list":{"0":"post-21964","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-stealer","9":"tag-trojan","10":"tag-windows-defender"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/05\/GS_Blog_banner_What-is-Trojan_Win32_Mamson.Aac.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/21964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=21964"}],"version-history":[{"count":23,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/21964\/revisions"}],"predecessor-version":[{"id":22397,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/21964\/revisions\/22397"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/21984"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=21964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=21964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=21964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}