masslogger | 828a9fae03e6a20158c58a659f27371fbe9a836199a3327fe5ef457115cf0206

General

Target

PO 202108 FOR JANUARY 2021.exe
Size

1.5MB
MD5

d6fedf690e4ea4ba0918f9deddeb9b7a
SHA1

abb8d5664b096b6caa92993ffb75c3460f6cc7a0
SHA256

828a9fae03e6a20158c58a659f27371fbe9a836199a3327fe5ef457115cf0206
SHA512

5b3c0d624c76a5badb81c4fcb23137cee89736d4212016337a63f953a85ba033970e9f540cb63cf12bd876e0dfcfbed6a3a5817a734e8f53863d87baf0dec0cc

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2124-14-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger
behavioral2/memory/2124-15-0x00000000004B32CE-mapping.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO 202108 FOR JANUARY 2021.exe

description pid process target process

PID 4048 set thread context of 2124 4048 PO 202108 FOR JANUARY 2021.exe PO 202108 FOR JANUARY 2021.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3692 schtasks.exe

description	pid	process	target process
PID 4048 set thread context of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe

pid	process
3692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO 202108 FOR JANUARY 2021.exePO 202108 FOR JANUARY 2021.exe

pid	process
4048	PO 202108 FOR JANUARY 2021.exe
4048	PO 202108 FOR JANUARY 2021.exe
4048	PO 202108 FOR JANUARY 2021.exe
2124	PO 202108 FOR JANUARY 2021.exe
2124	PO 202108 FOR JANUARY 2021.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO 202108 FOR JANUARY 2021.exePO 202108 FOR JANUARY 2021.exe

description pid process

Token: SeDebugPrivilege 4048 PO 202108 FOR JANUARY 2021.exe
Token: SeDebugPrivilege 2124 PO 202108 FOR JANUARY 2021.exe

description	pid	process
Token: SeDebugPrivilege	4048	PO 202108 FOR JANUARY 2021.exe
Token: SeDebugPrivilege	2124	PO 202108 FOR JANUARY 2021.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PO 202108 FOR JANUARY 2021.exePO 202108 FOR JANUARY 2021.execmd.exe

description	pid	process	target process
PID 4048 wrote to memory of 3692	4048	PO 202108 FOR JANUARY 2021.exe	schtasks.exe
PID 4048 wrote to memory of 3692	4048	PO 202108 FOR JANUARY 2021.exe	schtasks.exe
PID 4048 wrote to memory of 3692	4048	PO 202108 FOR JANUARY 2021.exe	schtasks.exe
PID 4048 wrote to memory of 2188	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2188	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2188	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 4048 wrote to memory of 2124	4048	PO 202108 FOR JANUARY 2021.exe	PO 202108 FOR JANUARY 2021.exe
PID 2124 wrote to memory of 2348	2124	PO 202108 FOR JANUARY 2021.exe	cmd.exe
PID 2124 wrote to memory of 2348	2124	PO 202108 FOR JANUARY 2021.exe	cmd.exe
PID 2124 wrote to memory of 2348	2124	PO 202108 FOR JANUARY 2021.exe	cmd.exe
PID 2348 wrote to memory of 2832	2348	cmd.exe	powershell.exe
PID 2348 wrote to memory of 2832	2348	cmd.exe	powershell.exe
PID 2348 wrote to memory of 2832	2348	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe
"C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NGgqNkUr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF93A.tmp"
2⤵
- Creates scheduled task(s)
PID:3692

C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe
"C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe"
2⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe
"C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO 202108 FOR JANUARY 2021.exe'
4⤵
PID:2832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 202108 FOR JANUARY 2021.exe.log
MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF93A.tmp
MD5
5ccfcef2e39a3206f0e22a059354f368

SHA1
7f9aefaee8a5a3aef18e5c0f18a589a8f5347097

SHA256
02b39689ab4e3d4c5febd7f808265a95054d0c8152da91fa988bbecc83fe5725

SHA512
9c46ee8ffc5a33332acb9d28eb51cd85f6b06303aa04ff964d22ac17b5a57a8fc51b9805602277dea59f470c7bef94ca1a3640cda6aa6a649c89218ff607a523

Download Submit
memory/2124-22-0x0000000005030000-0x00000000050A1000-memory.dmp

Filesize
452KB

Download
memory/2124-14-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2124-23-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2124-17-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-15-0x00000000004B32CE-mapping.dmp

Download
memory/2348-25-0x0000000000000000-mapping.dmp

Download
memory/2832-27-0x0000000000000000-mapping.dmp

Download
memory/2832-26-0x0000000000000000-mapping.dmp

Download
memory/3692-12-0x0000000000000000-mapping.dmp

Download
memory/4048-10-0x0000000005E90000-0x0000000005F9B000-memory.dmp

Filesize
1.0MB

Download
memory/4048-5-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/4048-3-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4048-11-0x00000000061B0000-0x000000000629A000-memory.dmp

Filesize
936KB

Download
memory/4048-2-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/4048-6-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4048-9-0x0000000005270000-0x0000000005276000-memory.dmp

Filesize
24KB

Download
memory/4048-8-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4048-7-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads