masslogger | 2d9b9f417d914d2b6f3bc2eefbe9b82ec3eacd8077f2ad4a1a05f393f8584bc8

General

Target

DHL_January 2021 at 28M_9B7290_PDF.exe
Size

727KB
MD5

c13081675ef4f1fea467c18c31bf2492
SHA1

6683c8d513c50cbe2a5999a4a5c31c4a90aeb01d
SHA256

2d9b9f417d914d2b6f3bc2eefbe9b82ec3eacd8077f2ad4a1a05f393f8584bc8
SHA512

76da00c45c88387f03eb727ad5ff948b39029a1c19d2f13070f08de94b9ec6084dea683b6345a2116c9a3b201f8d7ccd826c4343dcf5f04268ebc889981847a7

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/500-21-0x0000000000481E9E-mapping.dmp	family_masslogger
behavioral2/memory/500-20-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DHL_January 2021 at 28M_9B7290_PDF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	DHL_January 2021 at 28M_9B7290_PDF.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org

flow	ioc
13	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL_January 2021 at 28M_9B7290_PDF.exe

description	pid	process	target process
PID 1316 set thread context of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DHL_January 2021 at 28M_9B7290_PDF.exe

pid process

500 DHL_January 2021 at 28M_9B7290_PDF.exe

pid	process
500	DHL_January 2021 at 28M_9B7290_PDF.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

DHL_January 2021 at 28M_9B7290_PDF.exeDHL_January 2021 at 28M_9B7290_PDF.exe

pid	process
1316	DHL_January 2021 at 28M_9B7290_PDF.exe
1316	DHL_January 2021 at 28M_9B7290_PDF.exe
500	DHL_January 2021 at 28M_9B7290_PDF.exe
500	DHL_January 2021 at 28M_9B7290_PDF.exe
500	DHL_January 2021 at 28M_9B7290_PDF.exe
500	DHL_January 2021 at 28M_9B7290_PDF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL_January 2021 at 28M_9B7290_PDF.exeDHL_January 2021 at 28M_9B7290_PDF.exe

description	pid	process
Token: SeDebugPrivilege	1316	DHL_January 2021 at 28M_9B7290_PDF.exe
Token: SeDebugPrivilege	500	DHL_January 2021 at 28M_9B7290_PDF.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DHL_January 2021 at 28M_9B7290_PDF.exe

pid process

500 DHL_January 2021 at 28M_9B7290_PDF.exe

pid	process
500	DHL_January 2021 at 28M_9B7290_PDF.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

DHL_January 2021 at 28M_9B7290_PDF.exe

description	pid	process	target process
PID 1316 wrote to memory of 1984	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 1984	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 1984	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 3884	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 3884	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 3884	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 2464	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 2464	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 2464	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	SecEdit.exe
PID 1316 wrote to memory of 976	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 976	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 976	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe
PID 1316 wrote to memory of 500	1316	DHL_January 2021 at 28M_9B7290_PDF.exe	DHL_January 2021 at 28M_9B7290_PDF.exe

C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
2⤵
PID:1984

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
2⤵
PID:3884

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
2⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"
2⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_January 2021 at 28M_9B7290_PDF.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UserRights.cfg
MD5
456fce3c9c70a5522b9ccb8e7805fafd

SHA1
5988836ad195d430687177e74544596b0bcc0324

SHA256
94e0a2f7c5813e0ffc3522c5cda4da66e218050c3a2f471a361d898722d7d991

SHA512
b0ae155778bb726ef2f07256a09fc3c062e086d4cae13346f02141642fce0c49a3a239e813f4e69133e06ce3ba564056b3b903fce211dedbe2cf62ade1dfd6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserRights.cfg
MD5
49690b04039df7c36d6c0672e1fb32cd

SHA1
8f9c6ff079e52b4fb87e7475fcea2631fee28edf

SHA256
4b3dcc7dd63590a61b0b9a0075e08b004d609db0158927401ee6e72242d6e873

SHA512
3ee00bf6e43cfcdd2003e74bb83d4988b2b0ef22efa9869ec0a7bd3f93c0bcff549289e99619f026a6fea64be7c974331443bea10448c90b0d9d20781f445717

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserRights.log
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserRights.log
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/500-28-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/500-22-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/500-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/500-21-0x0000000000481E9E-mapping.dmp

Download
memory/1316-8-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/1316-2-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/1316-16-0x0000000009730000-0x00000000097DE000-memory.dmp

Filesize
696KB

Download
memory/1316-17-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/1316-18-0x0000000009C20000-0x0000000009C21000-memory.dmp

Filesize
4KB

Download
memory/1316-19-0x0000000009B80000-0x0000000009B8F000-memory.dmp

Filesize
60KB

Download
memory/1316-7-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/1316-6-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/1316-5-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/1316-3-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1984-9-0x0000000000000000-mapping.dmp

Download
memory/2464-12-0x0000000000000000-mapping.dmp

Download
memory/3884-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads