masslogger | 9fc5b3395c0fea9aec9e7c6bfce346acd3271500c1cc085859c4270f91e30a94

General

Target

Bank Document_pdf.exe
Size

1.1MB
MD5

40f4e14fd6f7c8e22f1c602f59beb72f
SHA1

b7d5ab968dfc8587c663b74233a58f9fe411dda6
SHA256

9fc5b3395c0fea9aec9e7c6bfce346acd3271500c1cc085859c4270f91e30a94
SHA512

2cd9eb1a572deb01b565320427b2434dd378959c7d1d6cbbb8164d928a71f8b4d79de082001c2fc7522d2b25cd63ba91da9d5b59a83f3708e8bcf03795ba43ba

Score

10^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1360	Bank Document_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 1420	1360	Bank Document_pdf.exe	24

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1420	Bank Document_pdf.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1420	Bank Document_pdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1420	1360	Bank Document_pdf.exe	24
PID 1360 wrote to memory of 1420	1360	Bank Document_pdf.exe	24
PID 1360 wrote to memory of 1420	1360	Bank Document_pdf.exe	24
PID 1360 wrote to memory of 1420	1360	Bank Document_pdf.exe	24

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	Bank Document_pdf.exe

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

yara_rule
masslogger_log_file

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1420-0-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1420-2-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1420-3-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1360	Bank Document_pdf.exe
1420	Bank Document_pdf.exe
1420	Bank Document_pdf.exe

C:\Users\Admin\AppData\Local\Temp\Bank Document_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Document_pdf.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1360
- C:\Users\Admin\AppData\Local\Temp\Bank Document_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Bank Document_pdf.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-0-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1420-2-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1420-3-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1420-4-0x0000000001F50000-0x0000000001FEA000-memory.dmp

Filesize
616KB

Download
memory/1420-5-0x0000000000332000-0x0000000000333000-memory.dmp

Filesize
4KB

Download
memory/1420-6-0x0000000000550000-0x00000000005E4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing