masslogger | 1d36a49464b06e161a182dfe3b2631fac5c76556d61d401e385c235fd124f4a1

General

Target

PO NO. 369273.exe
Size

847KB
MD5

22ac585c773cef9b561008a2ee7e5ae1
SHA1

307784c15ffd676c41fbe8ba8c7974e14b2a3210
SHA256

1d36a49464b06e161a182dfe3b2631fac5c76556d61d401e385c235fd124f4a1
SHA512

7ecd0ed67c6c1706645de88fcfdeac724e441c9a292089b9b98907478cd5f8682ccb3d6f57c5976b54918246c5aef57f7e82e19b8011be37ef5cc6aaaebe9aa2

Score

10^/10

masslogger rezer0 spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1048-8-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/1048-9-0x00000000004A2D1E-mapping.dmp	family_masslogger

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/1304-6-0x00000000070B0000-0x0000000007159000-memory.dmp	rezer0

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2280 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO NO. 369273.exe

description pid process target process

PID 1304 set thread context of 1048 1304 PO NO. 369273.exe PO NO. 369273.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO NO. 369273.exepowershell.exe

pid process

1304 PO NO. 369273.exe
1304 PO NO. 369273.exe
2280 powershell.exe
2280 powershell.exe
2280 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO NO. 369273.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1304 PO NO. 369273.exe
Token: SeDebugPrivilege 2280 powershell.exe

pid	process
2280	powershell.exe

description	pid	process	target process
PID 1304 set thread context of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe

pid	process
1304	PO NO. 369273.exe
1304	PO NO. 369273.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1304	PO NO. 369273.exe
Token: SeDebugPrivilege	2280	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PO NO. 369273.exePO NO. 369273.execmd.exe

description	pid	process	target process
PID 1304 wrote to memory of 728	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 728	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 728	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1304 wrote to memory of 1048	1304	PO NO. 369273.exe	PO NO. 369273.exe
PID 1048 wrote to memory of 3964	1048	PO NO. 369273.exe	cmd.exe
PID 1048 wrote to memory of 3964	1048	PO NO. 369273.exe	cmd.exe
PID 1048 wrote to memory of 3964	1048	PO NO. 369273.exe	cmd.exe
PID 3964 wrote to memory of 2280	3964	cmd.exe	powershell.exe
PID 3964 wrote to memory of 2280	3964	cmd.exe	powershell.exe
PID 3964 wrote to memory of 2280	3964	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO NO. 369273.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO. 369273.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\PO NO. 369273.exe
"{path}"
2⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\PO NO. 369273.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO NO. 369273.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO NO. 369273.exe'
4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO NO. 369273.exe.log
MD5
6b890abb65c85ef6929baf5d47758323

SHA1
a1b18c5edc1bbd956447975d420ffd74cf5c97ab

SHA256
d551d8c88d8d58996b962c518ed6ee72cd18124e1351d476fe88ea9ed4b2a5da

SHA512
74fa6f960c0ad7b2f14fc5b1ae5b5b706a0ac1da2509f8612c1286ffb8f5bbbf8440801d61d2e30af53210fa72ce90849ccf199a19c337791a09522e1ec907ff

Download Submit
memory/1048-8-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1048-17-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1048-16-0x0000000004E40000-0x0000000004E7E000-memory.dmp

Filesize
248KB

Download
memory/1048-11-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-9-0x00000000004A2D1E-mapping.dmp

Download
memory/1304-4-0x0000000002F90000-0x0000000002F9F000-memory.dmp

Filesize
60KB

Download
memory/1304-7-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/1304-6-0x00000000070B0000-0x0000000007159000-memory.dmp

Filesize
676KB

Download
memory/1304-5-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1304-0-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/1304-3-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1304-1-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2280-20-0x0000000000000000-mapping.dmp

Download
memory/2280-26-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/2280-21-0x0000000000000000-mapping.dmp

Download
memory/2280-22-0x0000000073CD0000-0x00000000743BE000-memory.dmp

Filesize
6.9MB

Download
memory/2280-23-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/2280-24-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/2280-25-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/2280-35-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/2280-28-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/2280-29-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/2280-30-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/2280-31-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/2280-32-0x0000000009690000-0x0000000009691000-memory.dmp

Filesize
4KB

Download
memory/2280-33-0x0000000008C30000-0x0000000008C31000-memory.dmp

Filesize
4KB

Download
memory/2280-34-0x0000000009010000-0x0000000009011000-memory.dmp

Filesize
4KB

Download
memory/3964-19-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads