masslogger | 3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c

General

Target

3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe
Size

1.1MB
MD5

0926c811a25166772fe8e5b851111ac0
SHA1

3dd43c9f30d385c375303cba97bca5ee5f136a2a
SHA256

3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c
SHA512

6092b0b0b15409b09f9b4ee29ee7efbf2021a08895247232112b5aff87568ed493472939939673c2d23dde535febd5758ff55bd58fc740c0176a20094cddd5fd

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1588-71-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1588-72-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1588-74-0x00000000004813DE-mapping.dmp	family_masslogger
behavioral1/memory/1588-73-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1588-77-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1588-79-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Executes dropped EXE 2 IoCs

Processes:

hikarvin.exehikarvin.exe

pid process

1500 hikarvin.exe
1588 hikarvin.exe
Drops startup file 1 IoCs

Processes:

hikarvin.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hikarvin.lnk hikarvin.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exehikarvin.exe

pid process

276 cmd.exe
1500 hikarvin.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hikarvin.exe

description pid process target process

PID 1500 set thread context of 1588 1500 hikarvin.exe hikarvin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1500	hikarvin.exe
1588	hikarvin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hikarvin.lnk	hikarvin.exe

pid	process
276	cmd.exe
1500	hikarvin.exe

description	pid	process	target process
PID 1500 set thread context of 1588	1500	hikarvin.exe	hikarvin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exehikarvin.exehikarvin.exe

pid	process
1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe
1500	hikarvin.exe
1588	hikarvin.exe
1588	hikarvin.exe
1500	hikarvin.exe
1500	hikarvin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exehikarvin.exehikarvin.exe

description	pid	process
Token: SeDebugPrivilege	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe
Token: SeDebugPrivilege	1500	hikarvin.exe
Token: SeDebugPrivilege	1588	hikarvin.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.execmd.exehikarvin.exe

description	pid	process	target process
PID 1376 wrote to memory of 580	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe	cmd.exe
PID 1376 wrote to memory of 580	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe	cmd.exe
PID 1376 wrote to memory of 580	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe	cmd.exe
PID 1376 wrote to memory of 580	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe	cmd.exe
PID 1376 wrote to memory of 276	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe	cmd.exe
PID 1376 wrote to memory of 276	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe	cmd.exe
PID 1376 wrote to memory of 276	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe	cmd.exe
PID 1376 wrote to memory of 276	1376	3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe	cmd.exe
PID 276 wrote to memory of 1500	276	cmd.exe	hikarvin.exe
PID 276 wrote to memory of 1500	276	cmd.exe	hikarvin.exe
PID 276 wrote to memory of 1500	276	cmd.exe	hikarvin.exe
PID 276 wrote to memory of 1500	276	cmd.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe
PID 1500 wrote to memory of 1588	1500	hikarvin.exe	hikarvin.exe

C:\Users\Admin\AppData\Local\Temp\3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe
"C:\Users\Admin\AppData\Local\Temp\3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe"
  2⤵
  PID:580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe

Filesize
1.1MB

MD5
0926c811a25166772fe8e5b851111ac0

SHA1
3dd43c9f30d385c375303cba97bca5ee5f136a2a

SHA256
3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c

SHA512
6092b0b0b15409b09f9b4ee29ee7efbf2021a08895247232112b5aff87568ed493472939939673c2d23dde535febd5758ff55bd58fc740c0176a20094cddd5fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe

Filesize
1.1MB

MD5
0926c811a25166772fe8e5b851111ac0

SHA1
3dd43c9f30d385c375303cba97bca5ee5f136a2a

SHA256
3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c

SHA512
6092b0b0b15409b09f9b4ee29ee7efbf2021a08895247232112b5aff87568ed493472939939673c2d23dde535febd5758ff55bd58fc740c0176a20094cddd5fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe

Filesize
1.1MB

MD5
0926c811a25166772fe8e5b851111ac0

SHA1
3dd43c9f30d385c375303cba97bca5ee5f136a2a

SHA256
3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c

SHA512
6092b0b0b15409b09f9b4ee29ee7efbf2021a08895247232112b5aff87568ed493472939939673c2d23dde535febd5758ff55bd58fc740c0176a20094cddd5fd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe

Filesize
1.1MB

MD5
0926c811a25166772fe8e5b851111ac0

SHA1
3dd43c9f30d385c375303cba97bca5ee5f136a2a

SHA256
3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c

SHA512
6092b0b0b15409b09f9b4ee29ee7efbf2021a08895247232112b5aff87568ed493472939939673c2d23dde535febd5758ff55bd58fc740c0176a20094cddd5fd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\hikarvin.exe

Filesize
1.1MB

MD5
0926c811a25166772fe8e5b851111ac0

SHA1
3dd43c9f30d385c375303cba97bca5ee5f136a2a

SHA256
3d651f6264da7ba84b71f9495f815b26254a4d3085760c5d97b40d40a998d02c

SHA512
6092b0b0b15409b09f9b4ee29ee7efbf2021a08895247232112b5aff87568ed493472939939673c2d23dde535febd5758ff55bd58fc740c0176a20094cddd5fd

Download Submit
memory/276-59-0x0000000000000000-mapping.dmp

Download
memory/580-58-0x0000000000000000-mapping.dmp

Download
memory/1376-55-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download
memory/1376-56-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/1376-57-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1376-54-0x0000000000AA0000-0x0000000000BC4000-memory.dmp

Filesize
1.1MB

Download
memory/1500-64-0x00000000009E0000-0x0000000000B04000-memory.dmp

Filesize
1.1MB

Download
memory/1500-65-0x0000000000610000-0x0000000000634000-memory.dmp

Filesize
144KB

Download
memory/1500-67-0x0000000002010000-0x0000000002022000-memory.dmp

Filesize
72KB

Download
memory/1500-62-0x0000000000000000-mapping.dmp

Download
memory/1588-68-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-69-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-71-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-72-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-74-0x00000000004813DE-mapping.dmp

Download
memory/1588-73-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-77-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1588-79-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads