masslogger | a543d22347f54870ae7dc14964a0242bfee089214c900abe01d1da6e2fcea6cc

General

Target

MY_self_cryped.exe
Size

1.2MB
MD5

cb0da230201048ec24ca733146c9d3ca
SHA1

fd5789a808f2d601640c591a47d2e7a31759d78f
SHA256

a543d22347f54870ae7dc14964a0242bfee089214c900abe01d1da6e2fcea6cc
SHA512

e3ce4a25725de7668d837a446b0978d2da51e50b591b28097f466c36ff9c42cb475ed58f4424cde31e99523dbaa12c3e7e1c8930a10eb9f5b90239651e28e7a8

Score

10^/10

ransomware stealer spyware masslogger

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\C8A579F880\Log.txt

Family

masslogger

Ransom Note

<|| v2.1.0.0 ||> User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 7/17/2020 6:34:35 PM MassLogger Started: 7/17/2020 6:34:26 PM Interval: 96 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| USB Spread ||> Disabled <|| Bot Killer ||> Disabled <|| Window Searcher ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Signatures

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

yara_rule
masslogger_log_file

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	MY_self_cryped.exe
Token: SeDebugPrivilege	1872	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1500	MY_self_cryped.exe
1500	MY_self_cryped.exe
1500	MY_self_cryped.exe
1872	RegAsm.exe

Executes dropped EXE 1 IoCs

pid	Process
1872	RegAsm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org

Loads dropped DLL 2 IoCs

pid	Process
1500	MY_self_cryped.exe
1872	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26
PID 1500 wrote to memory of 1872	1500	MY_self_cryped.exe	26

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1872	1500	MY_self_cryped.exe	26

C:\Users\Admin\AppData\Local\Temp\MY_self_cryped.exe
"C:\Users\Admin\AppData\Local\Temp\MY_self_cryped.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1500
- C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1872-4-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1872-7-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1872-8-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing