masslogger | e91593299dba4d7f9362c8d64e701413af0384f0f7ecca356ab138497f3a8e4d

General

Target

Bank Statement_pdf.exe
Size

899KB
MD5

1c3985f5c3ad3e9a5394d093237ecd72
SHA1

9d3c319ac9c93ed1227c7808f8a8a16b935a6fcf
SHA256

e91593299dba4d7f9362c8d64e701413af0384f0f7ecca356ab138497f3a8e4d
SHA512

3f3ce2ddac434d8bc8cb8f5c376b31e63d54ccfb809907542bb5b0f6094a01049ba6e15e20e5c6b3af815248e3ec6ea1993194b68eeb78743fd88c7ec5037511

Score

10^/10

spyware stealer masslogger

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Bank Statement_pdf.exeBank Statement_pdf.exe

pid process

1612 Bank Statement_pdf.exe
1116 Bank Statement_pdf.exe
1116 Bank Statement_pdf.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Bank Statement_pdf.exe

pid process

1612 Bank Statement_pdf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Bank Statement_pdf.exe

description pid process target process

PID 1612 set thread context of 1116 1612 Bank Statement_pdf.exe Bank Statement_pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Bank Statement_pdf.exe

description pid process

Token: SeDebugPrivilege 1116 Bank Statement_pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Bank Statement_pdf.exe

pid process

1116 Bank Statement_pdf.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Bank Statement_pdf.exe

pid process

1116 Bank Statement_pdf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1612	Bank Statement_pdf.exe
1116	Bank Statement_pdf.exe
1116	Bank Statement_pdf.exe

pid	process
1612	Bank Statement_pdf.exe

description	pid	process	target process
PID 1612 set thread context of 1116	1612	Bank Statement_pdf.exe	Bank Statement_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1116	Bank Statement_pdf.exe

pid	process
1116	Bank Statement_pdf.exe

pid	process
1116	Bank Statement_pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Bank Statement_pdf.exe

description	pid	process	target process
PID 1612 wrote to memory of 1116	1612	Bank Statement_pdf.exe	Bank Statement_pdf.exe
PID 1612 wrote to memory of 1116	1612	Bank Statement_pdf.exe	Bank Statement_pdf.exe
PID 1612 wrote to memory of 1116	1612	Bank Statement_pdf.exe	Bank Statement_pdf.exe
PID 1612 wrote to memory of 1116	1612	Bank Statement_pdf.exe	Bank Statement_pdf.exe

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1116-0-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1116-2-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1116-3-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

flow	ioc
4	api.ipify.org

C:\Users\Admin\AppData\Local\Temp\Bank Statement_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Statement_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\Bank Statement_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Statement_pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-0-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1116-1-0x000000000053FAE0-mapping.dmp

Download
memory/1116-2-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1116-3-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1116-4-0x00000000005F0000-0x000000000068A000-memory.dmp

Filesize
616KB

Download
memory/1116-5-0x0000000002032000-0x0000000002033000-memory.dmp

Filesize
4KB

Download
memory/1116-6-0x0000000000260000-0x00000000002F4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing