masslogger | 7deebb230f8cc6f9f4e5db778e5da101b2ff46241e41f534100ac914d29e0641

General

Target

PO450E0272.exe
Size

1.5MB
MD5

d874872ebcb2ce52f157bc13bcc0260d
SHA1

1be85e4d425820170f38a8fed3683648c3782a17
SHA256

7deebb230f8cc6f9f4e5db778e5da101b2ff46241e41f534100ac914d29e0641
SHA512

271338aaeaca49096fdafaff8a6102ee47e627081e68e3d556f2ee6239ae5295dd236fbfd447e70665d3ba34a1d4b70a3a8adf96f9191975400cdf41f990c6f2

Score

10^/10

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/680-10-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/680-11-0x0000000000481D6E-mapping.dmp	family_masslogger
behavioral1/memory/680-12-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/680-13-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO450E0272.exe

description pid process target process

PID 1668 set thread context of 680 1668 PO450E0272.exe MSBuild.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

MSBuild.exe

pid process

680 MSBuild.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MSBuild.exe

pid process

680 MSBuild.exe
680 MSBuild.exe
680 MSBuild.exe
680 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 680 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

680 MSBuild.exe

flow	ioc
6	api.ipify.org

description	pid	process	target process
PID 1668 set thread context of 680	1668	PO450E0272.exe	MSBuild.exe

pid	process
680	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	680	MSBuild.exe

pid	process
680	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PO450E0272.exe

description	pid	process	target process
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe
PID 1668 wrote to memory of 680	1668	PO450E0272.exe	MSBuild.exe

memory/680-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/680-11-0x0000000000481D6E-mapping.dmp

Download
memory/680-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/680-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/680-14-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/1668-2-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/1668-3-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1668-5-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1668-6-0x0000000005650000-0x0000000005744000-memory.dmp

Filesize
976KB

Download
memory/1668-7-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/1668-9-0x0000000005750000-0x0000000005826000-memory.dmp

Filesize
856KB

Download