masslogger | d0d99283b85e0d8c899857c8e9f37a51c6af357f915124078a367a0687607a29

General

Target

nwamamassloga.scr
Size

5.5MB
MD5

22eda4f532ebc0f5994060c2d6cd2002
SHA1

10beb6ab238582776f0450a2c43502307f766ebd
SHA256

d0d99283b85e0d8c899857c8e9f37a51c6af357f915124078a367a0687607a29
SHA512

f66ebd885c3ae086e295782c748b18e8fa5df1bf69597a21f684d3558d5b3e5b738d0af1df39240c297efe950798341ceb463e8a81869ad66f4dcb2bc1ac2e5a

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4024-10-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral2/memory/4024-11-0x0000000000481F6E-mapping.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nwamamassloga.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	nwamamassloga.scr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

nwamamassloga.scr

description pid process target process

PID 640 set thread context of 4024 640 nwamamassloga.scr nwamamassloga.scr
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

nwamamassloga.scr

pid process

4024 nwamamassloga.scr
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

nwamamassloga.scrpowershell.exe

pid process

4024 nwamamassloga.scr
4024 nwamamassloga.scr
4024 nwamamassloga.scr
4024 nwamamassloga.scr
3648 powershell.exe
3648 powershell.exe
3648 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nwamamassloga.scrpowershell.exe

description pid process

Token: SeDebugPrivilege 4024 nwamamassloga.scr
Token: SeDebugPrivilege 3648 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nwamamassloga.scr

pid process

4024 nwamamassloga.scr

flow	ioc
11	api.ipify.org

description	pid	process	target process
PID 640 set thread context of 4024	640	nwamamassloga.scr	nwamamassloga.scr

pid	process
4024	nwamamassloga.scr

pid	process
4024	nwamamassloga.scr
4024	nwamamassloga.scr
4024	nwamamassloga.scr
4024	nwamamassloga.scr
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4024	nwamamassloga.scr
Token: SeDebugPrivilege	3648	powershell.exe

pid	process
4024	nwamamassloga.scr

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

nwamamassloga.scrnwamamassloga.scr

description	pid	process	target process
PID 640 wrote to memory of 4024	640	nwamamassloga.scr	nwamamassloga.scr
PID 640 wrote to memory of 4024	640	nwamamassloga.scr	nwamamassloga.scr
PID 640 wrote to memory of 4024	640	nwamamassloga.scr	nwamamassloga.scr
PID 640 wrote to memory of 4024	640	nwamamassloga.scr	nwamamassloga.scr
PID 640 wrote to memory of 4024	640	nwamamassloga.scr	nwamamassloga.scr
PID 640 wrote to memory of 4024	640	nwamamassloga.scr	nwamamassloga.scr
PID 640 wrote to memory of 4024	640	nwamamassloga.scr	nwamamassloga.scr
PID 640 wrote to memory of 4024	640	nwamamassloga.scr	nwamamassloga.scr
PID 4024 wrote to memory of 3648	4024	nwamamassloga.scr	powershell.exe
PID 4024 wrote to memory of 3648	4024	nwamamassloga.scr	powershell.exe
PID 4024 wrote to memory of 3648	4024	nwamamassloga.scr	powershell.exe

C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr
"C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr
"C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr"
2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nwamamassloga.scr'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nwamamassloga.scr.log
MD5
259abda060542e2ec7192cbe2d8c6b30

SHA1
e888e8633f1da7a93d6ae70208ebd760f54b159c

SHA256
adf36fa7c81d9056afad8d0bfacc94ff9cc5429bfcf8eb94b8e571ffa357eadd

SHA512
18aaa2a5fafb4c3d64e6006d7365364000ffe5bdd2fdd0421e3088295a2ca50b0595e618673a8e8e83b35c97c32b28bcc91d35eda3cb11675e622abe44f97612

Download Submit
memory/640-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/640-5-0x0000000010E30000-0x0000000010E31000-memory.dmp

Filesize
4KB

Download
memory/640-6-0x0000000010A30000-0x0000000010A31000-memory.dmp

Filesize
4KB

Download
memory/640-7-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/640-8-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/640-9-0x00000000054C0000-0x0000000005548000-memory.dmp

Filesize
544KB

Download
memory/640-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3648-19-0x0000000000000000-mapping.dmp

Download
memory/3648-23-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/3648-46-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/3648-43-0x0000000009640000-0x0000000009641000-memory.dmp

Filesize
4KB

Download
memory/3648-41-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/3648-21-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3648-42-0x0000000009280000-0x0000000009281000-memory.dmp

Filesize
4KB

Download
memory/3648-44-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/3648-25-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/3648-26-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3648-27-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/3648-29-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/3648-30-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/3648-31-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/3648-32-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/3648-34-0x0000000009130000-0x0000000009163000-memory.dmp

Filesize
204KB

Download
memory/4024-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4024-22-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/4024-18-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/4024-13-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/4024-11-0x0000000000481F6E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads