masslogger | 525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec

General

Target

525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe
Size

627KB
MD5

4603fcb4d478d038f44c3deb950e4f5e
SHA1

b91ecd8439b30dabb43e2d7a0be880f4d70c45b1
SHA256

525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec
SHA512

2192dbc01f0a92c2787fff53bc4b766787f13d891df580392e2f6462745d991184fefa99b268870fae981a3a15779668ef3461693b6d05c6e6fc3c218e9d63d8

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4356-134-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe

description	pid	process	target process
PID 1840 set thread context of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exeRegSvcs.exepowershell.exe

pid	process
1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe
1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe
4356	RegSvcs.exe
4356	RegSvcs.exe
1356	powershell.exe
1356	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exeRegSvcs.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe
Token: SeDebugPrivilege	4356	RegSvcs.exe
Token: SeDebugPrivilege	1356	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exeRegSvcs.exe

description	pid	process	target process
PID 1840 wrote to memory of 2360	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 2360	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 2360	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 1840 wrote to memory of 4356	1840	525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe	RegSvcs.exe
PID 4356 wrote to memory of 1356	4356	RegSvcs.exe	powershell.exe
PID 4356 wrote to memory of 1356	4356	RegSvcs.exe	powershell.exe
PID 4356 wrote to memory of 1356	4356	RegSvcs.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe
"C:\Users\Admin\AppData\Local\Temp\525202de58e562f513d80eab1b53b4804a5afea6cf791f17084fa78b9de202ec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-142-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/1356-143-0x0000000004BF5000-0x0000000004BF7000-memory.dmp

Filesize
8KB

Download
memory/1356-139-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/1356-140-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/1356-138-0x0000000004C40000-0x0000000004C76000-memory.dmp

Filesize
216KB

Download
memory/1356-146-0x0000000007420000-0x00000000074B6000-memory.dmp

Filesize
600KB

Download
memory/1356-145-0x00000000066D0000-0x00000000066EA000-memory.dmp

Filesize
104KB

Download
memory/1356-137-0x0000000000000000-mapping.dmp

Download
memory/1356-147-0x00000000067A0000-0x00000000067C2000-memory.dmp

Filesize
136KB

Download
memory/1356-144-0x0000000007800000-0x0000000007E7A000-memory.dmp

Filesize
6.5MB

Download
memory/1356-141-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/1840-131-0x000000000B460000-0x000000000BA04000-memory.dmp

Filesize
5.6MB

Download
memory/1840-130-0x0000000000DD0000-0x0000000000E70000-memory.dmp

Filesize
640KB

Download
memory/2360-132-0x0000000000000000-mapping.dmp

Download
memory/4356-133-0x0000000000000000-mapping.dmp

Download
memory/4356-136-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/4356-135-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/4356-134-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads