masslogger | de083ffcc44c047fbf9a4938aca158f47045b9ee3ce98ce7b24202422fca3396

General

Target

file.exe
Size

765KB
MD5

2254eea10e2cb5e29c09bf28170c2e69
SHA1

566257811fb1b9b99304933b10b49c74e7038bbf
SHA256

de083ffcc44c047fbf9a4938aca158f47045b9ee3ce98ce7b24202422fca3396
SHA512

136237a1f634f32bde0048ef5be59b88a3f356b7ede4493f03e0a67ba1324e9e9223a02fec52695e7db8cfe5e02211d87d8bf0550a51d1b1837b2bba67f39562

Score

10^/10

ransomware spyware stealer masslogger

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\C8A579F880\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.7.1 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 7/13/2020 1:58:27 PM MassLogger Started: 7/13/2020 1:58:19 PM Interval: 9 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\file.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1356	file.exe
1356	file.exe

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

yara_rule
masslogger_log_file

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1356	file.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1356	file.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org

Modifies the visibility of hidden or system files 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	file.exe

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1796	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1796	1356	file.exe	26
PID 1356 wrote to memory of 1796	1356	file.exe	26
PID 1356 wrote to memory of 1796	1356	file.exe	26
PID 1356 wrote to memory of 1796	1356	file.exe	26

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Modifies the visibility of hidden or system files
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wyJxHRULjCcEEL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1795.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1796