masslogger | 31b06ca8f90f735bd3b209e576db1da2a5ab7f661b58f85eaabcde2181978003

General

Target

41b90e096ee11fd8a4afc9dde7f95311.exe
Size

525KB
MD5

41b90e096ee11fd8a4afc9dde7f95311
SHA1

53a53f95afeaaaa1af65b74a7caf394e246308b3
SHA256

31b06ca8f90f735bd3b209e576db1da2a5ab7f661b58f85eaabcde2181978003
SHA512

1b675a1fbed48ba951e69e7e2f8f6c38a303a5389ed5742f020321faaeb0bc8dbdeec2ca7dd946727898468a46e47468e784145889a34941b9642790c260305b

Score

10^/10

masslogger persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2584-10-0x0000000000486F3E-mapping.dmp	family_masslogger
behavioral2/memory/2584-9-0x0000000000400000-0x000000000048C000-memory.dmp	family_masslogger
behavioral2/memory/2584-16-0x0000000000486F3E-mapping.dmp	family_masslogger
behavioral2/memory/2584-18-0x0000000000486F3E-mapping.dmp	family_masslogger
behavioral2/memory/2584-17-0x0000000000486F3E-mapping.dmp	family_masslogger
behavioral2/memory/2584-19-0x0000000000486F3E-mapping.dmp	family_masslogger
behavioral2/memory/2584-20-0x0000000000486F3E-mapping.dmp	family_masslogger

ServiceHost packer 5 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2584-16-0x0000000000486F3E-mapping.dmp	servicehost
behavioral2/memory/2584-18-0x0000000000486F3E-mapping.dmp	servicehost
behavioral2/memory/2584-17-0x0000000000486F3E-mapping.dmp	servicehost
behavioral2/memory/2584-19-0x0000000000486F3E-mapping.dmp	servicehost
behavioral2/memory/2584-20-0x0000000000486F3E-mapping.dmp	servicehost

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

41b90e096ee11fd8a4afc9dde7f95311.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\""	41b90e096ee11fd8a4afc9dde7f95311.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

41b90e096ee11fd8a4afc9dde7f95311.exe

description pid process target process

PID 3980 set thread context of 2584 3980 41b90e096ee11fd8a4afc9dde7f95311.exe 41b90e096ee11fd8a4afc9dde7f95311.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2836 2584 WerFault.exe 41b90e096ee11fd8a4afc9dde7f95311.exe

description	pid	process	target process
PID 3980 set thread context of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe

pid	pid_target	process	target process
2836	2584	WerFault.exe	41b90e096ee11fd8a4afc9dde7f95311.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe
2836	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

41b90e096ee11fd8a4afc9dde7f95311.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3980	41b90e096ee11fd8a4afc9dde7f95311.exe
Token: SeRestorePrivilege	2836	WerFault.exe
Token: SeBackupPrivilege	2836	WerFault.exe
Token: SeDebugPrivilege	2836	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

41b90e096ee11fd8a4afc9dde7f95311.exe

description	pid	process	target process
PID 3980 wrote to memory of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe
PID 3980 wrote to memory of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe
PID 3980 wrote to memory of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe
PID 3980 wrote to memory of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe
PID 3980 wrote to memory of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe
PID 3980 wrote to memory of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe
PID 3980 wrote to memory of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe
PID 3980 wrote to memory of 2584	3980	41b90e096ee11fd8a4afc9dde7f95311.exe	41b90e096ee11fd8a4afc9dde7f95311.exe

C:\Users\Admin\AppData\Local\Temp\41b90e096ee11fd8a4afc9dde7f95311.exe
"C:\Users\Admin\AppData\Local\Temp\41b90e096ee11fd8a4afc9dde7f95311.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\41b90e096ee11fd8a4afc9dde7f95311.exe
"C:\Users\Admin\AppData\Local\Temp\41b90e096ee11fd8a4afc9dde7f95311.exe"
2⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 940
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\41b90e096ee11fd8a4afc9dde7f95311.exe.log
MD5
1755d02418241b16d29f6f19bb49952e

SHA1
55a2a978b98c43820f21a8b7597515d804e43d2c

SHA256
ebeb444cf2bd1945e7be508cc782963cf8cf9cedb1680a776f41eb0bf763a561

SHA512
6cd5449f39199e276ea335af0721384ba18009932c8eed5a36e43f1e08b0890291fb9d033aee8c6e8c88899a44504cb222404137ea6b0d847a49a14971f47c75

Download Submit
memory/2584-9-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2584-20-0x0000000000486F3E-mapping.dmp

Download
memory/2584-19-0x0000000000486F3E-mapping.dmp

Download
memory/2584-17-0x0000000000486F3E-mapping.dmp

Download
memory/2584-18-0x0000000000486F3E-mapping.dmp

Download
memory/2584-16-0x0000000000486F3E-mapping.dmp

Download
memory/2584-12-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-10-0x0000000000486F3E-mapping.dmp

Download
memory/2836-15-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/3980-8-0x00000000097E0000-0x00000000097F6000-memory.dmp

Filesize
88KB

Download
memory/3980-7-0x0000000008F50000-0x0000000008F51000-memory.dmp

Filesize
4KB

Download
memory/3980-0-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3980-6-0x0000000008E40000-0x0000000008EDA000-memory.dmp

Filesize
616KB

Download
memory/3980-5-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/3980-4-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/3980-3-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/3980-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads