masslogger | 311380e373e370131734bd5c65fe3b8a8b2862fc7049692e92ac12703487edc7

General

Target

2885d39472461249eea2d56856ea913a.exe
Size

928KB
MD5

2885d39472461249eea2d56856ea913a
SHA1

be776462df8db7324fd77a134935e6ed17ba6d0a
SHA256

311380e373e370131734bd5c65fe3b8a8b2862fc7049692e92ac12703487edc7
SHA512

2e85f2bfab8a6aab56ec4fd490b09f139d749536020681807c1bc5b0bc0425a5415678182cbf9834f5f67e0fedf21e18259ecf5b2c40f88f271fce93550d7a49

Score

10^/10

ransomware upx spyware stealer masslogger

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\42EF15E83D\Log.txt

Family

masslogger

Ransom Note

<|| v2.1.0.0 ||> User Name: Admin IP: 154.61.71.13 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 7/31/2020 2:01:38 PM MassLogger Started: 7/31/2020 2:01:28 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| USB Spread ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Signatures

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2885d39472461249eea2d56856ea913a.exenotepad.exeghjkzxijdk.exe

description	pid	process	target process
PID 844 wrote to memory of 284	844	2885d39472461249eea2d56856ea913a.exe	notepad.exe
PID 844 wrote to memory of 284	844	2885d39472461249eea2d56856ea913a.exe	notepad.exe
PID 844 wrote to memory of 284	844	2885d39472461249eea2d56856ea913a.exe	notepad.exe
PID 844 wrote to memory of 284	844	2885d39472461249eea2d56856ea913a.exe	notepad.exe
PID 844 wrote to memory of 284	844	2885d39472461249eea2d56856ea913a.exe	notepad.exe
PID 844 wrote to memory of 284	844	2885d39472461249eea2d56856ea913a.exe	notepad.exe
PID 284 wrote to memory of 1012	284	notepad.exe	ghjkzxijdk.exe
PID 284 wrote to memory of 1012	284	notepad.exe	ghjkzxijdk.exe
PID 284 wrote to memory of 1012	284	notepad.exe	ghjkzxijdk.exe
PID 284 wrote to memory of 1012	284	notepad.exe	ghjkzxijdk.exe
PID 1012 wrote to memory of 1160	1012	ghjkzxijdk.exe	ghjkzxijdk.exe
PID 1012 wrote to memory of 1160	1012	ghjkzxijdk.exe	ghjkzxijdk.exe
PID 1012 wrote to memory of 1160	1012	ghjkzxijdk.exe	ghjkzxijdk.exe
PID 1012 wrote to memory of 1160	1012	ghjkzxijdk.exe	ghjkzxijdk.exe
PID 1012 wrote to memory of 1052	1012	ghjkzxijdk.exe	ghjkzxijdk.exe
PID 1012 wrote to memory of 1052	1012	ghjkzxijdk.exe	ghjkzxijdk.exe
PID 1012 wrote to memory of 1052	1012	ghjkzxijdk.exe	ghjkzxijdk.exe
PID 1012 wrote to memory of 1052	1012	ghjkzxijdk.exe	ghjkzxijdk.exe

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

yara_rule
masslogger_log_file

Suspicious behavior: EnumeratesProcesses 1351 IoCs

Processes:

2885d39472461249eea2d56856ea913a.exeghjkzxijdk.exeghjkzxijdk.exe

pid	process
844	2885d39472461249eea2d56856ea913a.exe
1012	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe
1052	ghjkzxijdk.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ghjkzxijdk.exe

pid process

1012 ghjkzxijdk.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ghjkzxijdk.exe

description pid process target process

PID 1012 set thread context of 1160 1012 ghjkzxijdk.exe ghjkzxijdk.exe
NTFS ADS 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe:ZoneIdentifier notepad.exe
Loads dropped DLL 2 IoCs

Processes:

notepad.exe

pid process

284 notepad.exe
284 notepad.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ghjkzxijdk.exe

description pid process

Token: SeDebugPrivilege 1160 ghjkzxijdk.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs notepad.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Executes dropped EXE 3 IoCs

Processes:

ghjkzxijdk.exeghjkzxijdk.exeghjkzxijdk.exe

pid process

1012 ghjkzxijdk.exe
1160 ghjkzxijdk.exe
1052 ghjkzxijdk.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ghjkzxijdk.exe

pid process

1160 ghjkzxijdk.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

ghjkzxijdk.exe

pid process

1160 ghjkzxijdk.exe

pid	process
1012	ghjkzxijdk.exe

description	pid	process	target process
PID 1012 set thread context of 1160	1012	ghjkzxijdk.exe	ghjkzxijdk.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe:ZoneIdentifier	notepad.exe

pid	process
284	notepad.exe
284	notepad.exe

description	pid	process
Token: SeDebugPrivilege	1160	ghjkzxijdk.exe

flow	ioc
5	api.ipify.org

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs	notepad.exe

pid	process
1012	ghjkzxijdk.exe
1160	ghjkzxijdk.exe
1052	ghjkzxijdk.exe

pid	process
1160	ghjkzxijdk.exe

pid	process
1160	ghjkzxijdk.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1160-7-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1160-7-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1160-11-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1160-11-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1160-13-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1160-13-0x0000000000400000-0x0000000000541000-memory.dmp	upx

C:\Users\Admin\AppData\Local\Temp\2885d39472461249eea2d56856ea913a.exe
"C:\Users\Admin\AppData\Local\Temp\2885d39472461249eea2d56856ea913a.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
- Loads dropped DLL
- Drops startup file
PID:284

C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe
"C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1012

C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe
"C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:1160

C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe
"C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe" 2 1160 116439
4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe

Download Submit
\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe

Download Submit
\Users\Admin\AppData\Roaming\appdata\ghjkzxijdk.exe

Download Submit
memory/284-1-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/284-0-0x0000000000000000-mapping.dmp

Download
memory/1012-4-0x0000000000000000-mapping.dmp

Download
memory/1052-10-0x0000000000000000-mapping.dmp

Download
memory/1160-8-0x000000000053FBC0-mapping.dmp

Download
memory/1160-11-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1160-13-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1160-7-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1160-14-0x0000000001F60000-0x0000000001FFA000-memory.dmp

Filesize
616KB

Download
memory/1160-15-0x0000000002072000-0x0000000002073000-memory.dmp

Filesize
4KB

Download
memory/1160-16-0x0000000000310000-0x00000000003A4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads