masslogger | 3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971

General

Target

3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
Size

1.1MB
MD5

d05e77f3861b02d2b85bee2fd3e1bd2f
SHA1

4bcbf42787afee482a7e30f12f3394803fdefc86
SHA256

3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971
SHA512

7a5e30ab5d4ebf9577c70a82f30a9d7f507d60c5f252b8d2c33747fa059f7f89810a6a8e4e6097cfe9b096657b7096063840bad7bf9293ddd706be58eecd948d

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1300-129-0x0000000000B90000-0x0000000000C16000-memory.dmp	family_masslogger
behavioral2/memory/1300-128-0x0000000000B90000-0x0000000000C16000-memory.dmp	family_masslogger

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HHHHHHHHHHH.vbs notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HHHHHHHHHHH.vbs	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe

description	pid	process	target process
PID 736 set thread context of 1300	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exepowershell.exe

pid	process
736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
1300	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
1300	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
904	powershell.exe
904	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe

pid process

736 3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1300	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
Token: SeDebugPrivilege	904	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe

description	pid	process	target process
PID 736 wrote to memory of 1132	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	notepad.exe
PID 736 wrote to memory of 1132	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	notepad.exe
PID 736 wrote to memory of 1132	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	notepad.exe
PID 736 wrote to memory of 1132	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	notepad.exe
PID 736 wrote to memory of 1132	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	notepad.exe
PID 736 wrote to memory of 1300	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
PID 736 wrote to memory of 1300	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
PID 736 wrote to memory of 1300	736	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
PID 1300 wrote to memory of 904	1300	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	powershell.exe
PID 1300 wrote to memory of 904	1300	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	powershell.exe
PID 1300 wrote to memory of 904	1300	3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
"C:\Users\Admin\AppData\Local\Temp\3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Drops startup file
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe
  "C:\Users\Admin\AppData\Local\Temp\3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\3a3606d38bd55a8a0c627f22f38ed873744e6fe62af75766dbe4707f68fe8971.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-125-0x0000000000640000-0x0000000000655000-memory.dmp

Filesize
84KB

Download
memory/904-149-0x0000000004D35000-0x0000000004D37000-memory.dmp

Filesize
8KB

Download
memory/904-152-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/904-153-0x0000000006660000-0x0000000006682000-memory.dmp

Filesize
136KB

Download
memory/904-151-0x0000000006590000-0x00000000065AA000-memory.dmp

Filesize
104KB

Download
memory/904-150-0x0000000007900000-0x0000000007F7A000-memory.dmp

Filesize
6.5MB

Download
memory/904-143-0x0000000000000000-mapping.dmp

Download
memory/904-148-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/904-147-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/904-146-0x00000000051E0000-0x0000000005202000-memory.dmp

Filesize
136KB

Download
memory/904-145-0x0000000005370000-0x0000000005998000-memory.dmp

Filesize
6.2MB

Download
memory/904-144-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/1132-126-0x0000000000000000-mapping.dmp

Download
memory/1300-133-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-135-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-140-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/1300-141-0x0000000004E50000-0x00000000053F4000-memory.dmp

Filesize
5.6MB

Download
memory/1300-142-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/1300-138-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-137-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-139-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-136-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-134-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-132-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-130-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-131-0x0000000000AC2000-0x0000000000AC3000-memory.dmp

Filesize
4KB

Download
memory/1300-128-0x0000000000B90000-0x0000000000C16000-memory.dmp

Filesize
536KB

Download
memory/1300-129-0x0000000000B90000-0x0000000000C16000-memory.dmp

Filesize
536KB

Download
memory/1300-127-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads