masslogger | 4aceb37332d3353fcfdc0fa6cdcf21ca3f675689d69ad84dd0e397f6ffa57cbd

General

Target

hesap hareketleriniz.bin.exe
Size

92KB
MD5

ae6c2cee9ea5dd18f83d07a9b508b2ca
SHA1

efa48d08f08cfd59c2db9a5be430b7aefdd5973a
SHA256

4aceb37332d3353fcfdc0fa6cdcf21ca3f675689d69ad84dd0e397f6ffa57cbd
SHA512

f4279a56dc0f30d629fa4d086401d22b94b56bcd43ddb514a0d9b48572bd73f1568eaf08e67f4ae24d0626b716f33c710b0d8d6751dfd5ed2950a8b08891b4f0

Score

10^/10

masslogger persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1160-14-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral2/memory/1160-15-0x000000000048184E-mapping.dmp	family_masslogger

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

hesap hareketleriniz.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe\""	hesap hareketleriniz.bin.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

4052 powershell.exe

pid	process
4052	powershell.exe

Drops startup file 2 IoCs

Processes:

hesap hareketleriniz.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hesap hareketleriniz.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\hesap hareketleriniz.bin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe"	hesap hareketleriniz.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe"	hesap hareketleriniz.bin.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hesap hareketleriniz.bin.exe

description pid process target process

PID 640 set thread context of 1160 640 hesap hareketleriniz.bin.exe hesap hareketleriniz.bin.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2620 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

hesap hareketleriniz.bin.exepowershell.exe

pid process

1160 hesap hareketleriniz.bin.exe
1160 hesap hareketleriniz.bin.exe
4052 powershell.exe
4052 powershell.exe
4052 powershell.exe

description	pid	process	target process
PID 640 set thread context of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe

pid	process
2620	timeout.exe

pid	process
1160	hesap hareketleriniz.bin.exe
1160	hesap hareketleriniz.bin.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

hesap hareketleriniz.bin.exehesap hareketleriniz.bin.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	640	hesap hareketleriniz.bin.exe
Token: SeDebugPrivilege	1160	hesap hareketleriniz.bin.exe
Token: SeDebugPrivilege	4052	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

hesap hareketleriniz.bin.execmd.exehesap hareketleriniz.bin.exe

description	pid	process	target process
PID 640 wrote to memory of 508	640	hesap hareketleriniz.bin.exe	cmd.exe
PID 640 wrote to memory of 508	640	hesap hareketleriniz.bin.exe	cmd.exe
PID 640 wrote to memory of 508	640	hesap hareketleriniz.bin.exe	cmd.exe
PID 508 wrote to memory of 2620	508	cmd.exe	timeout.exe
PID 508 wrote to memory of 2620	508	cmd.exe	timeout.exe
PID 508 wrote to memory of 2620	508	cmd.exe	timeout.exe
PID 640 wrote to memory of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160	640	hesap hareketleriniz.bin.exe	hesap hareketleriniz.bin.exe
PID 1160 wrote to memory of 4052	1160	hesap hareketleriniz.bin.exe	powershell.exe
PID 1160 wrote to memory of 4052	1160	hesap hareketleriniz.bin.exe	powershell.exe
PID 1160 wrote to memory of 4052	1160	hesap hareketleriniz.bin.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
"C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 4.699
2⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\timeout.exe
timeout 4.699
3⤵
- Delays execution with timeout.exe
PID:2620

C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
"C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe'
3⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesap hareketleriniz.bin.exe.log
MD5
617cff0b7bb8c3b933eb565334a9e1cd

SHA1
d65fd4ab596d36c620653a4063a4291a05516518

SHA256
b6d1695ae5cb23eb04f82cd83a40a1036c49acaf276386ccae03c925235ed676

SHA512
f9cf271f050531f48e7737ae467c973a8d69fd18acb82c95699db4ced6efc3971c5249fe361098ea86dd23e23da9b27dc5dcd7c00f395b1694fd3303810914db

Download Submit
memory/508-6-0x0000000000000000-mapping.dmp

Download
memory/640-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/640-4-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/640-5-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/640-2-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/640-8-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/640-11-0x0000000007070000-0x0000000007096000-memory.dmp

Filesize
152KB

Download
memory/640-12-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/640-13-0x0000000007070000-0x000000000710D000-memory.dmp

Filesize
628KB

Download
memory/1160-22-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/1160-15-0x000000000048184E-mapping.dmp

Download
memory/1160-14-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1160-17-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-7-0x0000000000000000-mapping.dmp

Download
memory/4052-27-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/4052-31-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/4052-25-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/4052-26-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/4052-23-0x0000000000000000-mapping.dmp

Download
memory/4052-28-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/4052-30-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/4052-24-0x0000000073210000-0x00000000738FE000-memory.dmp

Filesize
6.9MB

Download
memory/4052-32-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/4052-33-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/4052-34-0x0000000009490000-0x0000000009491000-memory.dmp

Filesize
4KB

Download
memory/4052-35-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/4052-36-0x0000000008E10000-0x0000000008E11000-memory.dmp

Filesize
4KB

Download
memory/4052-37-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads