masslogger | e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7

General

Target

e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
Size

734KB
MD5

dfe91810fa28948dc0ff20dcc0230720
SHA1

85c8a80b99e4394d04878f47edacaa5f65b9bd3b
SHA256

e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7
SHA512

349a8ac9f54be2abf42ef1b89cf8946e7643cd4a7a42488ec0755c1cf10e86671ade6d43e8fee8d7fa89c0b4aceb3b2467b6bd73eef8bf7833e945a347cc1b6f

Score

10^/10

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4180-142-0x0000000000400000-0x000000000048C000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4288	4180	WerFault.exe	103

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 4164	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	102
PID 1768 wrote to memory of 4164	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	102
PID 1768 wrote to memory of 4164	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	102
PID 1768 wrote to memory of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103
PID 1768 wrote to memory of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103
PID 1768 wrote to memory of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103
PID 1768 wrote to memory of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103
PID 1768 wrote to memory of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103
PID 1768 wrote to memory of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103
PID 1768 wrote to memory of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103
PID 1768 wrote to memory of 4180	1768	e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe	103

C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
"C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
  "{path}"
  2⤵
  PID:4164
- C:\Users\Admin\AppData\Local\Temp\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe
  "{path}"
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 968
    3⤵
    - Program crash
    PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4180 -ip 4180
1⤵
PID:4256

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e0fc4cd55ad749f411ecfd308911e98e8c2d94b518c159a93a08b686c23aa7b7.exe.log

Filesize
1KB

MD5
6f8f3a9a57cb30e686d3355e656031e0

SHA1
acccd6befb1a2f40e662280bc5182e086a0d079b

SHA256
283586e83b25099a5698cb9caf9c594a37060d11e0f55c81bb9c6d4f728448ea

SHA512
8f11d645ff4f8d5b1c45b06eb52cd45319659255306d60e80e33abfd04b9e3b1164679f11a8a23bd493e4b3f6b9841d70e553a01835eeaf6035b4d05e4fd7b54

Download Submit
memory/1768-134-0x0000000000730000-0x00000000007EE000-memory.dmp

Filesize
760KB

Download
memory/1768-135-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/1768-136-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/1768-137-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/1768-138-0x0000000008D70000-0x000000000929C000-memory.dmp

Filesize
5.2MB

Download
memory/1768-139-0x00000000088F0000-0x000000000898C000-memory.dmp

Filesize
624KB

Download
memory/4180-142-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download