masslogger | 9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4

General

Target

60091743pdf.exe
Size

1.1MB
MD5

c9b3ce0f3c3350621b6df632369a58f8
SHA1

ac29d51d75264cad92760259a8b2a4c358516975
SHA256

9bf180bb7b3cc0fcc6d01b68e2aa82d2f853e081ec71e34942d875324a2415b4
SHA512

96a329657409994e8485ded30d9dce953ee19489ab6242df62a2cade14ea107b328043c7ec7c024c3151370c41a16e12fa3ef3bc5371796d436c723b8a3da690

Score

10^/10

spyware stealer masslogger

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1576-8-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1576-9-0x0000000000481C2E-mapping.dmp	family_masslogger
behavioral1/memory/1576-10-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1576-11-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60091743pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\International\Geo\Nation	60091743pdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

60091743pdf.exe

description pid process target process

PID 868 set thread context of 1576 868 60091743pdf.exe 60091743pdf.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1608 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

60091743pdf.exe

pid process

1576 60091743pdf.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

60091743pdf.exe60091743pdf.exe

pid process

868 60091743pdf.exe
1576 60091743pdf.exe
1576 60091743pdf.exe
1576 60091743pdf.exe
1576 60091743pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

60091743pdf.exe60091743pdf.exe

description pid process

Token: SeDebugPrivilege 868 60091743pdf.exe
Token: SeDebugPrivilege 1576 60091743pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

60091743pdf.exe

pid process

1576 60091743pdf.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 868 set thread context of 1576	868	60091743pdf.exe	60091743pdf.exe

pid	process
1608	schtasks.exe

pid	process
1576	60091743pdf.exe

pid	process
868	60091743pdf.exe
1576	60091743pdf.exe
1576	60091743pdf.exe
1576	60091743pdf.exe
1576	60091743pdf.exe

description	pid	process
Token: SeDebugPrivilege	868	60091743pdf.exe
Token: SeDebugPrivilege	1576	60091743pdf.exe

pid	process
1576	60091743pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

60091743pdf.exe

description	pid	process	target process
PID 868 wrote to memory of 1608	868	60091743pdf.exe	schtasks.exe
PID 868 wrote to memory of 1608	868	60091743pdf.exe	schtasks.exe
PID 868 wrote to memory of 1608	868	60091743pdf.exe	schtasks.exe
PID 868 wrote to memory of 1608	868	60091743pdf.exe	schtasks.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe
PID 868 wrote to memory of 1576	868	60091743pdf.exe	60091743pdf.exe

C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe
"C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nwwFxKnJy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A26.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\60091743pdf.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8A26.tmp

MD5
f70d9bb96b15c557a3ead5fdba69bec3

SHA1
da09aee283c311ade112ae38d3ae62f5c3dfed67

SHA256
f274c34195a537054b112980634071ab6c8f0cd2a63d48ee3d8e80ce3e09e064

SHA512
8148c50be54076e0a4237d217b42fb9e27673dde1d0b02636abc93adc5e435491d2697fd6cac59309fabc9d3085178513859ed2c9a7b8627e3fbc231df3a1db4

Download Submit
memory/868-0-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/868-1-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/868-3-0x00000000004B0000-0x00000000004BB000-memory.dmp

Filesize
44KB

Download
memory/868-4-0x0000000005F80000-0x000000000603E000-memory.dmp

Filesize
760KB

Download
memory/868-5-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/1576-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1576-9-0x0000000000481C2E-mapping.dmp

Download
memory/1576-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1576-11-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1576-12-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads