masslogger | 85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866

General

Target

85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
Size

1.3MB
MD5

cd447496c70998070f8626a11a1c923b
SHA1

f5a799663be34cac6c2d1852021df143e97348ee
SHA256

85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866
SHA512

caa8a3a17901c2e8c17a6ff39a3705a44733df3e4660df1d998bc03e1919681800ed5b60948822a930c82458f710f9d8bc6dcf51455e628ead74c9c1d7bc95b2

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4580-137-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe

description	pid	process	target process
PID 3876 set thread context of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exepowershell.exe

pid	process
4580	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
4580	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
2220	powershell.exe
2220	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4580	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
Token: SeDebugPrivilege	2220	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe

description	pid	process	target process
PID 3876 wrote to memory of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
PID 3876 wrote to memory of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
PID 3876 wrote to memory of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
PID 3876 wrote to memory of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
PID 3876 wrote to memory of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
PID 3876 wrote to memory of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
PID 3876 wrote to memory of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
PID 3876 wrote to memory of 4580	3876	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
PID 4580 wrote to memory of 2220	4580	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	powershell.exe
PID 4580 wrote to memory of 2220	4580	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	powershell.exe
PID 4580 wrote to memory of 2220	4580	85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
"C:\Users\Admin\AppData\Local\Temp\85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe
  "C:\Users\Admin\AppData\Local\Temp\85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\85d9e3a6c3459398e388060664ed846c4ddb034a46cfeedfd558b7b96245c866.exe.log

Filesize
1KB

MD5
bb3d30439ec1e6435c3eac4df8c1d2e3

SHA1
c901d5946e53ae0a9e2417c8dfaf5786a0037422

SHA256
182adf89e57f80a92db9a5e13105cd59544f37855ca35f98116a0182ddd3b2e6

SHA512
d3547aadf665ce2552b3dfa350b80a5e813aa346870fb2b05a3b998096eebf563143bffe964e0f7243761b79420d1adf02f735779902901d1a41a1f35c557572

Download Submit
memory/2220-145-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/2220-144-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/2220-139-0x0000000000000000-mapping.dmp

Download
memory/2220-149-0x0000000007010000-0x00000000070A6000-memory.dmp

Filesize
600KB

Download
memory/2220-147-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/2220-146-0x0000000004A55000-0x0000000004A57000-memory.dmp

Filesize
8KB

Download
memory/2220-143-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

Filesize
136KB

Download
memory/2220-141-0x0000000002660000-0x0000000002696000-memory.dmp

Filesize
216KB

Download
memory/2220-150-0x0000000006540000-0x0000000006562000-memory.dmp

Filesize
136KB

Download
memory/2220-148-0x0000000006480000-0x000000000649A000-memory.dmp

Filesize
104KB

Download
memory/2220-142-0x0000000005090000-0x00000000056B8000-memory.dmp

Filesize
6.2MB

Download
memory/3876-132-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/3876-130-0x0000000000E10000-0x0000000000F58000-memory.dmp

Filesize
1.3MB

Download
memory/3876-135-0x0000000005C00000-0x0000000005C56000-memory.dmp

Filesize
344KB

Download
memory/3876-131-0x0000000005960000-0x00000000059FC000-memory.dmp

Filesize
624KB

Download
memory/3876-134-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/3876-133-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/4580-138-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/4580-137-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4580-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads