masslogger | 72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8

General

Target

order9321t.exe
Size

940KB
MD5

397c5bbcc75db8567548322417aa05fd
SHA1

d65b345c5863550cb7c454eedf2de0e16fbd391e
SHA256

72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8
SHA512

85d71264d951cc6d921b3ae29e716d3e21566daca5bd315d46a9778313573677e5e1feb6339e92c41c2b3256544ec6dc66e49ec7f0ecf9f245500599b74b233b

Score

10^/10

spyware stealer masslogger evasion

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/988-8-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/988-9-0x000000000048195E-mapping.dmp	family_masslogger
behavioral1/memory/988-10-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/988-11-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

order9321t.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	order9321t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	order9321t.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

order9321t.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\International\Geo\Nation	order9321t.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org

flow	ioc
5	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

order9321t.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	order9321t.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	order9321t.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

order9321t.exe

description pid process target process

PID 900 set thread context of 988 900 order9321t.exe order9321t.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2024 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

order9321t.exe

pid process

988 order9321t.exe

description	pid	process	target process
PID 900 set thread context of 988	900	order9321t.exe	order9321t.exe

pid	process
2024	schtasks.exe

pid	process
988	order9321t.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

order9321t.exeorder9321t.exe

pid	process
900	order9321t.exe
900	order9321t.exe
900	order9321t.exe
900	order9321t.exe
900	order9321t.exe
988	order9321t.exe
988	order9321t.exe
988	order9321t.exe
988	order9321t.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

order9321t.exeorder9321t.exe

description pid process

Token: SeDebugPrivilege 900 order9321t.exe
Token: SeDebugPrivilege 988 order9321t.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

order9321t.exe

pid process

988 order9321t.exe

description	pid	process
Token: SeDebugPrivilege	900	order9321t.exe
Token: SeDebugPrivilege	988	order9321t.exe

pid	process
988	order9321t.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

order9321t.exe

description	pid	process	target process
PID 900 wrote to memory of 2024	900	order9321t.exe	schtasks.exe
PID 900 wrote to memory of 2024	900	order9321t.exe	schtasks.exe
PID 900 wrote to memory of 2024	900	order9321t.exe	schtasks.exe
PID 900 wrote to memory of 2024	900	order9321t.exe	schtasks.exe
PID 900 wrote to memory of 1888	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 1888	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 1888	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 1888	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe
PID 900 wrote to memory of 988	900	order9321t.exe	order9321t.exe

C:\Users\Admin\AppData\Local\Temp\order9321t.exe
"C:\Users\Admin\AppData\Local\Temp\order9321t.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YdvIruZxoLuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\order9321t.exe
  "{path}"
  2⤵
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\order9321t.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp

MD5
335c8d6e055c1e5f682f9d54f71b4690

SHA1
17c84d1cd3e4562669b0bf338ef03e076e4f96a3

SHA256
6b8bfd212ce0e34a9c09be34ffdd6adc6be8e62c6bca2e5fc447ef9c79d00da8

SHA512
5d90d54e6b02c77b97a24d7330c615b098352796c9110b714237e270c23134b287c246573227da1f042bbc8baf3c9084bad9f1e86ddad72ce163409060e32f49

Download Submit
memory/900-0-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/900-1-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/900-3-0x0000000000480000-0x0000000000483000-memory.dmp

Filesize
12KB

Download
memory/900-4-0x00000000058B0000-0x000000000596F000-memory.dmp

Filesize
764KB

Download
memory/900-5-0x0000000004F80000-0x000000000502F000-memory.dmp

Filesize
700KB

Download
memory/988-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/988-9-0x000000000048195E-mapping.dmp

Download
memory/988-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/988-11-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/988-12-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2024-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads