masslogger | d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034

General

Target

d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe
Size

1.1MB
MD5

ecbf1f6ce22da8082682021bd2645b81
SHA1

fe1e108e2db522b0ceb5f55435f0004416c8d004
SHA256

d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034
SHA512

8eebff6560af65b0b34a38243f228c6b0e3b28192b91866e4e3c7ed839a0e7e8512fb7a56b23fce3ed54716c11d65ffb9abb36b9a893f1188cc20656a199908d

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4548-138-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3372 set thread context of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe
4548	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe
4548	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe
2036	powershell.exe
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe
Token: SeDebugPrivilege	4548	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 628	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	85
PID 3372 wrote to memory of 628	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	85
PID 3372 wrote to memory of 628	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	85
PID 3372 wrote to memory of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87
PID 3372 wrote to memory of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87
PID 3372 wrote to memory of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87
PID 3372 wrote to memory of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87
PID 3372 wrote to memory of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87
PID 3372 wrote to memory of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87
PID 3372 wrote to memory of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87
PID 3372 wrote to memory of 4548	3372	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	87
PID 4548 wrote to memory of 2036	4548	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	88
PID 4548 wrote to memory of 2036	4548	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	88
PID 4548 wrote to memory of 2036	4548	d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe	88

C:\Users\Admin\AppData\Local\Temp\d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe
"C:\Users\Admin\AppData\Local\Temp\d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWXDYALw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp656C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:628
- C:\Users\Admin\AppData\Local\Temp\d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d057abf6122bb26a1c28ec59940a57913227fea8a6dd303b0e2d8269c282a034.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp656C.tmp

Filesize
1KB

MD5
b77c7b2f810dba2b5a59150b7e97d91c

SHA1
dbafb542236ed619da6710012f31ff588eba3f93

SHA256
c9231c8a4e0e19bc92bc5e86e09f6e5cda7bc2f64d53da4cfea2725f5414b6e8

SHA512
5470a31e1832fab39d894bc850f80dbabdd471d631418a12bba31bbe103a34061f14fcb2713d18260bfcb585a17d73afc83ba02384143d212421b4643f04a6ed

Download Submit
memory/2036-145-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/2036-146-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/2036-150-0x0000000006E30000-0x0000000006E52000-memory.dmp

Filesize
136KB

Download
memory/2036-149-0x0000000007B70000-0x0000000007C06000-memory.dmp

Filesize
600KB

Download
memory/2036-148-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/2036-147-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/2036-144-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/2036-143-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/2036-142-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/3372-131-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/3372-130-0x0000000000C90000-0x0000000000DAC000-memory.dmp

Filesize
1.1MB

Download
memory/3372-134-0x0000000008070000-0x000000000810C000-memory.dmp

Filesize
624KB

Download
memory/3372-132-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/3372-133-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/4548-140-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/4548-138-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads