masslogger | 9fc5b3395c0fea9aec9e7c6bfce346acd3271500c1cc085859c4270f91e30a94

General

Target

Bank Document_pdf.exe
Size

1.1MB
MD5

40f4e14fd6f7c8e22f1c602f59beb72f
SHA1

b7d5ab968dfc8587c663b74233a58f9fe411dda6
SHA256

9fc5b3395c0fea9aec9e7c6bfce346acd3271500c1cc085859c4270f91e30a94
SHA512

2cd9eb1a572deb01b565320427b2434dd378959c7d1d6cbbb8164d928a71f8b4d79de082001c2fc7522d2b25cd63ba91da9d5b59a83f3708e8bcf03795ba43ba

Score

10^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3428	Bank Document_pdf.exe

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

yara_rule
masslogger_log_file

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3428-0-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3428-2-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/3428-3-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3908 set thread context of 3428	3908	Bank Document_pdf.exe	67

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 3428	3908	Bank Document_pdf.exe	67
PID 3908 wrote to memory of 3428	3908	Bank Document_pdf.exe	67
PID 3908 wrote to memory of 3428	3908	Bank Document_pdf.exe	67

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3908	Bank Document_pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	Bank Document_pdf.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3428	Bank Document_pdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3908	Bank Document_pdf.exe
3908	Bank Document_pdf.exe
3428	Bank Document_pdf.exe
3428	Bank Document_pdf.exe

C:\Users\Admin\AppData\Local\Temp\Bank Document_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Document_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:3908
- C:\Users\Admin\AppData\Local\Temp\Bank Document_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Bank Document_pdf.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3428-0-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3428-2-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3428-3-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3428-4-0x0000000002310000-0x00000000023AA000-memory.dmp

Filesize
616KB

Download
memory/3428-5-0x00000000023E2000-0x00000000023E3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing