masslogger | ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

General

Target

PAYMENT DETAILS CONFIRMATION.exe
Size

992KB
MD5

73c81dd67773b2efa5261e20adf74a5b
SHA1

fde0db688d6abb4aad0bb646db9f1c192d980b5a
SHA256

ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42
SHA512

8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9

Score

10^/10

evasion stealer spyware masslogger

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3080-13-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger
behavioral2/memory/3080-14-0x00000000004B31FE-mapping.dmp	family_masslogger

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PAYMENT DETAILS CONFIRMATION.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PAYMENT DETAILS CONFIRMATION.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PAYMENT DETAILS CONFIRMATION.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PAYMENT DETAILS CONFIRMATION.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PAYMENT DETAILS CONFIRMATION.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	PAYMENT DETAILS CONFIRMATION.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT DETAILS CONFIRMATION.exe

description pid process target process

PID 3288 set thread context of 3080 3288 PAYMENT DETAILS CONFIRMATION.exe PAYMENT DETAILS CONFIRMATION.exe

description	pid	process	target process
PID 3288 set thread context of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PAYMENT DETAILS CONFIRMATION.exePAYMENT DETAILS CONFIRMATION.exe

pid	process
3288	PAYMENT DETAILS CONFIRMATION.exe
3288	PAYMENT DETAILS CONFIRMATION.exe
3080	PAYMENT DETAILS CONFIRMATION.exe
3080	PAYMENT DETAILS CONFIRMATION.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PAYMENT DETAILS CONFIRMATION.exePAYMENT DETAILS CONFIRMATION.exe

description pid process

Token: SeDebugPrivilege 3288 PAYMENT DETAILS CONFIRMATION.exe
Token: SeDebugPrivilege 3080 PAYMENT DETAILS CONFIRMATION.exe

description	pid	process
Token: SeDebugPrivilege	3288	PAYMENT DETAILS CONFIRMATION.exe
Token: SeDebugPrivilege	3080	PAYMENT DETAILS CONFIRMATION.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PAYMENT DETAILS CONFIRMATION.exePAYMENT DETAILS CONFIRMATION.execmd.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
  2⤵
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PAYMENT DETAILS CONFIRMATION.exe'
      4⤵
      PID:192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT DETAILS CONFIRMATION.exe.log

MD5
5ce36f0c4d9568839c224ffaa10d5441

SHA1
69c0cdded0b415091641c3fbf64b7fbd7e285e47

SHA256
c93c5a9fdaa44aeb7f25c89abed40a1ca6432bf3ea840e2820388bef68cd116a

SHA512
a6ef350d4f36f35b42ce0b8a4df83f17fb0a4f66dcfa32617b22e642168291bede3b612969e0eec293d7ca1ba0aef7a05c31823bd41821e0880b609f280b0b83

Download Submit
memory/192-26-0x0000000000000000-mapping.dmp

Download
memory/192-25-0x0000000000000000-mapping.dmp

Download
memory/3080-13-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3080-21-0x00000000056D0000-0x0000000005741000-memory.dmp

Filesize
452KB

Download
memory/3080-16-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/3080-14-0x00000000004B31FE-mapping.dmp

Download
memory/3288-6-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3288-9-0x0000000005980000-0x0000000005A43000-memory.dmp

Filesize
780KB

Download
memory/3288-10-0x0000000004FB0000-0x0000000004FB2000-memory.dmp

Filesize
8KB

Download
memory/3288-11-0x0000000005AD0000-0x0000000005B87000-memory.dmp

Filesize
732KB

Download
memory/3288-12-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/3288-8-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/3288-7-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3288-0-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/3288-5-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3288-4-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3288-3-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/3288-1-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3916-24-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3288 wrote to memory of 1944	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 1944	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 1944	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3288 wrote to memory of 3080	3288	PAYMENT DETAILS CONFIRMATION.exe	PAYMENT DETAILS CONFIRMATION.exe
PID 3080 wrote to memory of 3916	3080	PAYMENT DETAILS CONFIRMATION.exe	cmd.exe
PID 3080 wrote to memory of 3916	3080	PAYMENT DETAILS CONFIRMATION.exe	cmd.exe
PID 3080 wrote to memory of 3916	3080	PAYMENT DETAILS CONFIRMATION.exe	cmd.exe
PID 3916 wrote to memory of 192	3916	cmd.exe	powershell.exe
PID 3916 wrote to memory of 192	3916	cmd.exe	powershell.exe
PID 3916 wrote to memory of 192	3916	cmd.exe	powershell.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads