masslogger | d0d99283b85e0d8c899857c8e9f37a51c6af357f915124078a367a0687607a29

General

Target

nwamamassloga.scr
Size

5.5MB
MD5

22eda4f532ebc0f5994060c2d6cd2002
SHA1

10beb6ab238582776f0450a2c43502307f766ebd
SHA256

d0d99283b85e0d8c899857c8e9f37a51c6af357f915124078a367a0687607a29
SHA512

f66ebd885c3ae086e295782c748b18e8fa5df1bf69597a21f684d3558d5b3e5b738d0af1df39240c297efe950798341ceb463e8a81869ad66f4dcb2bc1ac2e5a

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/916-7-0x0000000000481F6E-mapping.dmp	family_masslogger
behavioral1/memory/916-6-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/916-8-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/916-9-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nwamamassloga.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation	nwamamassloga.scr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

nwamamassloga.scr

description pid process target process

PID 800 set thread context of 916 800 nwamamassloga.scr nwamamassloga.scr
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

nwamamassloga.scr

pid process

916 nwamamassloga.scr
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

nwamamassloga.scrpowershell.exe

pid process

916 nwamamassloga.scr
916 nwamamassloga.scr
916 nwamamassloga.scr
916 nwamamassloga.scr
1624 powershell.exe
1624 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nwamamassloga.scrpowershell.exe

description pid process

Token: SeDebugPrivilege 916 nwamamassloga.scr
Token: SeDebugPrivilege 1624 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nwamamassloga.scr

pid process

916 nwamamassloga.scr

flow	ioc
6	api.ipify.org

description	pid	process	target process
PID 800 set thread context of 916	800	nwamamassloga.scr	nwamamassloga.scr

pid	process
916	nwamamassloga.scr

pid	process
916	nwamamassloga.scr
916	nwamamassloga.scr
916	nwamamassloga.scr
916	nwamamassloga.scr
1624	powershell.exe
1624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	916	nwamamassloga.scr
Token: SeDebugPrivilege	1624	powershell.exe

pid	process
916	nwamamassloga.scr

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

nwamamassloga.scrnwamamassloga.scr

description	pid	process	target process
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 800 wrote to memory of 916	800	nwamamassloga.scr	nwamamassloga.scr
PID 916 wrote to memory of 1624	916	nwamamassloga.scr	powershell.exe
PID 916 wrote to memory of 1624	916	nwamamassloga.scr	powershell.exe
PID 916 wrote to memory of 1624	916	nwamamassloga.scr	powershell.exe
PID 916 wrote to memory of 1624	916	nwamamassloga.scr	powershell.exe

C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr
"C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr
"C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr"
2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/800-3-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/800-5-0x0000000000F10000-0x0000000000F98000-memory.dmp

Filesize
544KB

Download
memory/916-7-0x0000000000481F6E-mapping.dmp

Download
memory/916-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/916-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/916-9-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/916-10-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1624-13-0x0000000000000000-mapping.dmp

Download
memory/1624-14-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1624-15-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1624-16-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1624-17-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1624-18-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1624-21-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1624-26-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/1624-27-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1624-34-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1624-35-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1624-49-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1624-50-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads