malo

General
Target

malo.exe

Filesize

1MB

Completed

11-06-2020 11:00

Score
10 /10
MD5

3f8fe7595c1021c656ecce69dec78cb3

SHA1

51ebb8881432b24aeea0e593c177ca984a797221

SHA256

995113d1bd7b707244a6d069c51926a7f79bccafcd55aa2fe4563e314d33876a

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt
Family masslogger
Ransom Note
################################################################# MassLogger v1.3.7.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 6/11/2020 12:58:31 PM MassLogger Started: 6/11/2020 12:58:28 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\malo.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:
Signatures 8

Filter: none

Collection
Credential Access
  • Suspicious behavior: EnumeratesProcesses
    malo.exemalo.exe

    Reported IOCs

    pidprocess
    1092malo.exe
    1092malo.exe
    1092malo.exe
    1808malo.exe
  • Suspicious use of WriteProcessMemory
    malo.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
    PID 1092 wrote to memory of 18081092malo.exemalo.exe
  • Suspicious use of SetThreadContext
    malo.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1092 set thread context of 18081092malo.exemalo.exe
  • MassLogger log file

    Description

    Detects a log file produced by MassLogger.

    Reported IOCs

    yara_rule
    masslogger_log_file
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • MassLogger

    Description

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    4api.ipify.org
  • Suspicious use of AdjustPrivilegeToken
    malo.exemalo.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1092malo.exe
    Token: SeDebugPrivilege1808malo.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\malo.exe
    "C:\Users\Admin\AppData\Local\Temp\malo.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    PID:1092
    • C:\Users\Admin\AppData\Local\Temp\malo.exe
      "C:\Users\Admin\AppData\Local\Temp\malo.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1808
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1092-1-0x0000000000000000-0x0000000000000000-disk.dmp

                      • memory/1808-4-0x0000000000140000-0x00000000001E8000-memory.dmp

                      • memory/1808-5-0x0000000000140000-0x00000000001E8000-memory.dmp