masslogger | 77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43

General

Target

Order Inquiry List.exe
Size

1.1MB
MD5

5a82e2c1d04b28f1d1c7861b231ccfce
SHA1

39adba5bb7a9585d50993a6264f05aecafcd0a92
SHA256

77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43
SHA512

b32280588cbb9e128ba84c800252edca5736c714ff90d9f710ab684537621c99e63c2e4fe41f36c3313098f20d710661b483bdfbd5e35dbc4410d4bcc339f1ba

Score

10^/10

stealer spyware masslogger

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2948-11-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger
behavioral2/memory/2948-12-0x00000000004B34AE-mapping.dmp	family_masslogger

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

3592 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order Inquiry List.exe

description pid process target process

PID 728 set thread context of 2948 728 Order Inquiry List.exe Order Inquiry List.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

pid	process
3592	powershell.exe

description	pid	process	target process
PID 728 set thread context of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = bd013da7a37ed601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Order Inquiry List.exepowershell.exe

pid process

2948 Order Inquiry List.exe
2948 Order Inquiry List.exe
3592 powershell.exe
3592 powershell.exe
3592 powershell.exe

pid	process
2948	Order Inquiry List.exe
2948	Order Inquiry List.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

svchost.exeOrder Inquiry List.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	364	svchost.exe
Token: SeCreatePagefilePrivilege	364	svchost.exe
Token: SeDebugPrivilege	2948	Order Inquiry List.exe
Token: SeDebugPrivilege	3592	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Order Inquiry List.exeOrder Inquiry List.execmd.exe

description	pid	process	target process
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe
PID 728 wrote to memory of 2948	728	Order Inquiry List.exe	Order Inquiry List.exe
PID 2948 wrote to memory of 208	2948	Order Inquiry List.exe	cmd.exe
PID 2948 wrote to memory of 208	2948	Order Inquiry List.exe	cmd.exe
PID 2948 wrote to memory of 208	2948	Order Inquiry List.exe	cmd.exe
PID 208 wrote to memory of 3592	208	cmd.exe	powershell.exe
PID 208 wrote to memory of 3592	208	cmd.exe	powershell.exe
PID 208 wrote to memory of 3592	208	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe'
4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:364

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Inquiry List.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
memory/208-22-0x0000000000000000-mapping.dmp

Download
memory/728-9-0x0000000005E20000-0x0000000005F10000-memory.dmp

Filesize
960KB

Download
memory/728-3-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/728-1-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/728-6-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/728-7-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/728-8-0x0000000004EE0000-0x0000000004EEB000-memory.dmp

Filesize
44KB

Download
memory/728-0-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/728-10-0x0000000006090000-0x0000000006154000-memory.dmp

Filesize
784KB

Download
memory/728-4-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/728-5-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2948-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2948-12-0x00000000004B34AE-mapping.dmp

Download
memory/2948-19-0x00000000059C0000-0x0000000005A31000-memory.dmp

Filesize
452KB

Download
memory/2948-20-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/2948-14-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/3592-27-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/3592-31-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/3592-25-0x0000000073730000-0x0000000073E1E000-memory.dmp

Filesize
6.9MB

Download
memory/3592-26-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/3592-38-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/3592-28-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/3592-29-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/3592-24-0x0000000000000000-mapping.dmp

Download
memory/3592-32-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/3592-33-0x0000000008120000-0x0000000008121000-memory.dmp

Filesize
4KB

Download
memory/3592-34-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/3592-35-0x0000000009730000-0x0000000009731000-memory.dmp

Filesize
4KB

Download
memory/3592-36-0x0000000008CD0000-0x0000000008CD1000-memory.dmp

Filesize
4KB

Download
memory/3592-37-0x00000000090B0000-0x00000000090B1000-memory.dmp

Filesize
4KB

Download
memory/3592-23-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads