masslogger | a9a4bd2de434ba7cb210b0e8bc7374db4c6df7e0e94dac78c67f3dc97ddadc4f

Analysis

Target

DHL_20201230,pdf.exe
Size

1.1MB
MD5

14fe2d5d95ec2fe9d8610f5e16c88428
SHA1

97d20decb09787cbf557207a49b309b31429244c
SHA256

a9a4bd2de434ba7cb210b0e8bc7374db4c6df7e0e94dac78c67f3dc97ddadc4f
SHA512

50096d3b5c84cade3b070e649557313692bd4f89af08aba07582c2ecfb54d0f2da35b98f4ad3ca2c8c072a0cffde8c2ac991bad42e73422327946f617e2ee07b

Score

10^/10

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1348-3-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1348-4-0x0000000000481D6E-mapping.dmp	family_masslogger
behavioral1/memory/1348-5-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1348-6-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL_20201230,pdf.exe

description pid process target process

PID 340 set thread context of 1348 340 DHL_20201230,pdf.exe MSBuild.exe

description	pid	process	target process
PID 340 set thread context of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

DHL_20201230,pdf.exeMSBuild.exe

description	pid	process	target process
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 340 wrote to memory of 1348	340	DHL_20201230,pdf.exe	MSBuild.exe
PID 1348 wrote to memory of 1564	1348	MSBuild.exe	dw20.exe
PID 1348 wrote to memory of 1564	1348	MSBuild.exe	dw20.exe
PID 1348 wrote to memory of 1564	1348	MSBuild.exe	dw20.exe
PID 1348 wrote to memory of 1564	1348	MSBuild.exe	dw20.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 372
3⤵
PID:1564

memory/1348-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1348-4-0x0000000000481D6E-mapping.dmp

Download
memory/1348-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1348-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1564-7-0x0000000000000000-mapping.dmp

Download
memory/1564-8-0x0000000002280000-0x0000000002291000-memory.dmp

Filesize
68KB

Download
memory/1564-9-0x0000000002380000-0x0000000002391000-memory.dmp

Filesize
68KB

Download