masslogger | 995113d1bd7b707244a6d069c51926a7f79bccafcd55aa2fe4563e314d33876a

Resubmissions

11-06-2020 11:49

200611-1f13szahtj 10

11-06-2020 10:57

200611-hqfde4tdlj 10

Analysis

max time kernel
140s
max time network
42s
platform
windows7_x64
resource
win7v200430
submitted
11-06-2020 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malo.exe
Size

1.2MB
MD5

3f8fe7595c1021c656ecce69dec78cb3
SHA1

51ebb8881432b24aeea0e593c177ca984a797221
SHA256

995113d1bd7b707244a6d069c51926a7f79bccafcd55aa2fe4563e314d33876a
SHA512

335d0b8067e8775fcd7c8e6e232673602b5b0b50abed55996fb0a79cf68e8a9d9d72e0af2b51f2ceab144b09e9fd107a334e7d0aa3192eb41c8f28957f3dc6d5

Score

10^/10

ransomware spyware stealer masslogger

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.7.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 6/11/2020 12:58:31 PM MassLogger Started: 6/11/2020 12:58:28 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\malo.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

malo.exemalo.exe

pid process

1092 malo.exe
1092 malo.exe
1092 malo.exe
1808 malo.exe

pid	process
1092	malo.exe
1092	malo.exe
1092	malo.exe
1808	malo.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

malo.exe

description	pid	process	target process
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe
PID 1092 wrote to memory of 1808	1092	malo.exe	malo.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

malo.exe

description pid process target process

PID 1092 set thread context of 1808 1092 malo.exe malo.exe
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

malo.exemalo.exe

description pid process

Token: SeDebugPrivilege 1092 malo.exe
Token: SeDebugPrivilege 1808 malo.exe

description	pid	process	target process
PID 1092 set thread context of 1808	1092	malo.exe	malo.exe

yara_rule
masslogger_log_file

flow	ioc
4	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	1092	malo.exe
Token: SeDebugPrivilege	1808	malo.exe

C:\Users\Admin\AppData\Local\Temp\malo.exe
"C:\Users\Admin\AppData\Local\Temp\malo.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Local\Temp\malo.exe
"C:\Users\Admin\AppData\Local\Temp\malo.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1808-4-0x0000000000140000-0x00000000001E8000-memory.dmp

Filesize
672KB

Download
memory/1808-5-0x0000000000140000-0x00000000001E8000-memory.dmp

Filesize
672KB

Download