masslogger | 30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4

General

Target

Ziraat Bankasi Swift Messaji.exe
Size

1.3MB
MD5

7ba9c730b33fd37be0eec329aabeb6a0
SHA1

eabc80e887de547dc8dd16d4d0a515df48f30791
SHA256

30dac0d69e366db4ce57a0935d5619e4bcebfcbaa9f14b7618970cc2aaa522f4
SHA512

a8ac548c69d3698c87a18291577e6ddc3912c6009878382c3b1bc83cd3ad2b96f39cd60f797a60ae75bb992c413dc35a6f2a4fb844640a621cf88d75a93381fc

Score

10^/10

stealer spyware masslogger persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Ziraat Bankasi Swift Messaji.exe.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1296 Ziraat Bankasi Swift Messaji.exe
Token: SeDebugPrivilege 1036 .exe
Token: SeDebugPrivilege 1904 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1296	Ziraat Bankasi Swift Messaji.exe
Token: SeDebugPrivilege	1036	.exe
Token: SeDebugPrivilege	1904	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Ziraat Bankasi Swift Messaji.execmd.exe.exe

description	pid	process	target process
PID 1296 wrote to memory of 1808	1296	Ziraat Bankasi Swift Messaji.exe	cmd.exe
PID 1296 wrote to memory of 1808	1296	Ziraat Bankasi Swift Messaji.exe	cmd.exe
PID 1296 wrote to memory of 1808	1296	Ziraat Bankasi Swift Messaji.exe	cmd.exe
PID 1296 wrote to memory of 1808	1296	Ziraat Bankasi Swift Messaji.exe	cmd.exe
PID 1808 wrote to memory of 1820	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 1820	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 1820	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 1820	1808	cmd.exe	reg.exe
PID 1296 wrote to memory of 1036	1296	Ziraat Bankasi Swift Messaji.exe	.exe
PID 1296 wrote to memory of 1036	1296	Ziraat Bankasi Swift Messaji.exe	.exe
PID 1296 wrote to memory of 1036	1296	Ziraat Bankasi Swift Messaji.exe	.exe
PID 1296 wrote to memory of 1036	1296	Ziraat Bankasi Swift Messaji.exe	.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe
PID 1036 wrote to memory of 1904	1036	.exe	RegAsm.exe

Loads dropped DLL 3 IoCs

Processes:

Ziraat Bankasi Swift Messaji.exe.exeRegAsm.exe

pid process

1296 Ziraat Bankasi Swift Messaji.exe
1036 .exe
1904 RegAsm.exe
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\admin = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Desktop\\.exe"	reg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Ziraat Bankasi Swift Messaji.exe.exeRegAsm.exe

pid	process
1296	Ziraat Bankasi Swift Messaji.exe
1296	Ziraat Bankasi Swift Messaji.exe
1296	Ziraat Bankasi Swift Messaji.exe
1036	.exe
1036	.exe
1036	.exe
1904	RegAsm.exe

Executes dropped EXE 2 IoCs

Processes:

.exeRegAsm.exe

pid process

1036 .exe
1904 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

.exe

description pid process target process

PID 1036 set thread context of 1904 1036 .exe RegAsm.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

pid	process
1036	.exe
1904	RegAsm.exe

description	pid	process	target process
PID 1036 set thread context of 1904	1036	.exe	RegAsm.exe

flow	ioc
6	api.ipify.org

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Messaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Messaji.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"
3⤵
- Adds Run entry to start application
PID:1820

C:\Users\Admin\Desktop\.exe
"C:\Users\Admin\Desktop\.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1036

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Download Submit
C:\Users\Admin\Desktop\.exe

Download Submit
C:\Users\Admin\Desktop\.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

Download Submit
\Users\Admin\Desktop\.exe

Download Submit
memory/1036-6-0x0000000000000000-mapping.dmp

Download
memory/1296-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1808-3-0x0000000000000000-mapping.dmp

Download
memory/1820-4-0x0000000000000000-mapping.dmp

Download
memory/1904-17-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1904-18-0x00000000004945DE-mapping.dmp

Download
memory/1904-20-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1904-21-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads