masslogger | abe23e12f4aa1f3e0b9ea3777ffaaf4fdcf9ccb21e7331b32d20bfa3a511f6c7

General

Target

#gfe00620.exe
Size

1.1MB
MD5

504fd653e392b36a4f829f583d8e5f29
SHA1

a5b27394da0c8afffbc4dfa4a734db62917b9fae
SHA256

abe23e12f4aa1f3e0b9ea3777ffaaf4fdcf9ccb21e7331b32d20bfa3a511f6c7
SHA512

e4c030d4a8e1693cb04158e4df28c51f916b4814bb4494c418248b861230a5ac6c55a41fbef46f3e7a0749b3d863850a37b2a8b5349a83a92b15fe394cf212ab

Score

10^/10

ransomware stealer spyware masslogger

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 6/29/2020 2:46:33 PM MassLogger Started: 6/29/2020 2:46:27 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\#gfe00620.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org

flow	ioc
5	api.ipify.org

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

#gfe00620.exe

description	pid	process	target process
PID 240 wrote to memory of 1892	240	#gfe00620.exe	schtasks.exe
PID 240 wrote to memory of 1892	240	#gfe00620.exe	schtasks.exe
PID 240 wrote to memory of 1892	240	#gfe00620.exe	schtasks.exe
PID 240 wrote to memory of 1892	240	#gfe00620.exe	schtasks.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe
PID 240 wrote to memory of 1744	240	#gfe00620.exe	#gfe00620.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

#gfe00620.exe

pid process

1744 #gfe00620.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

#gfe00620.exe#gfe00620.exe

pid process

240 #gfe00620.exe
1744 #gfe00620.exe
1744 #gfe00620.exe
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

#gfe00620.exe

pid process

1744 #gfe00620.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1892 schtasks.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

#gfe00620.exe

description pid process target process

PID 240 set thread context of 1744 240 #gfe00620.exe #gfe00620.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

#gfe00620.exe#gfe00620.exe

description pid process

Token: SeDebugPrivilege 240 #gfe00620.exe
Token: SeDebugPrivilege 1744 #gfe00620.exe

pid	process
1744	#gfe00620.exe

pid	process
240	#gfe00620.exe
1744	#gfe00620.exe
1744	#gfe00620.exe

yara_rule
masslogger_log_file

pid	process
1744	#gfe00620.exe

pid	process
1892	schtasks.exe

description	pid	process	target process
PID 240 set thread context of 1744	240	#gfe00620.exe	#gfe00620.exe

description	pid	process
Token: SeDebugPrivilege	240	#gfe00620.exe
Token: SeDebugPrivilege	1744	#gfe00620.exe

C:\Users\Admin\AppData\Local\Temp\#gfe00620.exe
"C:\Users\Admin\AppData\Local\Temp\#gfe00620.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nYVUveDQlcJuye" /XML "C:\Users\Admin\AppData\Local\Temp\tmpECBE.tmp"
2⤵
- Creates scheduled task(s)
PID:1892

C:\Users\Admin\AppData\Local\Temp\#gfe00620.exe
"C:\Users\Admin\AppData\Local\Temp\#gfe00620.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpECBE.tmp

Download Submit
memory/240-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1744-4-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1744-5-0x00000000004A2FCE-mapping.dmp

Download
memory/1744-6-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1744-7-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1892-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads