masslogger | 77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43

General

Target

Order Inquiry List.exe
Size

1.1MB
MD5

5a82e2c1d04b28f1d1c7861b231ccfce
SHA1

39adba5bb7a9585d50993a6264f05aecafcd0a92
SHA256

77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43
SHA512

b32280588cbb9e128ba84c800252edca5736c714ff90d9f710ab684537621c99e63c2e4fe41f36c3313098f20d710661b483bdfbd5e35dbc4410d4bcc339f1ba

Score

10^/10

stealer spyware masslogger

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2948-11-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger
behavioral2/memory/2948-12-0x00000000004B34AE-mapping.dmp	family_masslogger

Deletes itself 1 IoCs

pid	Process
3592	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 728 set thread context of 2948	728	Order Inquiry List.exe	76

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = bd013da7a37ed601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2948	Order Inquiry List.exe
2948	Order Inquiry List.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	364	svchost.exe
Token: SeCreatePagefilePrivilege	364	svchost.exe
Token: SeDebugPrivilege	2948	Order Inquiry List.exe
Token: SeDebugPrivilege	3592	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	76
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	76
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	76
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	76
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	76
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	76
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	76
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	76
PID 2948 wrote to memory of 208	2948	Order Inquiry List.exe	78
PID 2948 wrote to memory of 208	2948	Order Inquiry List.exe	78
PID 2948 wrote to memory of 208	2948	Order Inquiry List.exe	78
PID 208 wrote to memory of 3592	208	cmd.exe	80
PID 208 wrote to memory of 3592	208	cmd.exe	80
PID 208 wrote to memory of 3592	208	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:728
- C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
  "C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe'
      4⤵
      Deletes itself
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/728-9-0x0000000005E20000-0x0000000005F10000-memory.dmp

Filesize
960KB

Download
memory/728-3-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/728-1-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/728-6-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/728-7-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/728-8-0x0000000004EE0000-0x0000000004EEB000-memory.dmp

Filesize
44KB

Download
memory/728-0-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/728-10-0x0000000006090000-0x0000000006154000-memory.dmp

Filesize
784KB

Download
memory/728-4-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/728-5-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2948-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-19-0x00000000059C0000-0x0000000005A31000-memory.dmp

Filesize
452KB

Download
memory/2948-20-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/2948-14-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/3592-27-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/3592-31-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/3592-25-0x0000000073730000-0x0000000073E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3592-26-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/3592-38-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/3592-28-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/3592-29-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/3592-32-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/3592-33-0x0000000008120000-0x0000000008121000-memory.dmp

Filesize
4KB

Download
memory/3592-34-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/3592-35-0x0000000009730000-0x0000000009731000-memory.dmp

Filesize
4KB

Download
memory/3592-36-0x0000000008CD0000-0x0000000008CD1000-memory.dmp

Filesize
4KB

Download
memory/3592-37-0x00000000090B0000-0x00000000090B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing