masslogger | 3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897

General

Target

3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
Size

1.2MB
MD5

f0459ea78912ae96a3b503e483db6ce5
SHA1

782aa3b2d3ec604627e4ed8174bd63b5df876d22
SHA256

3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897
SHA512

b266b8286852d7d9ad063fdf19d05ea35d0b38b788de7141ca950c7fdc4f2aacb04748278e04b5ecbe8474af88308494b0fd97cc2a55efbc880c868b91b43554

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5004-139-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe

description	pid	process	target process
PID 3940 set thread context of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exepowershell.exe

pid	process
3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
5004	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
5004	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
3056	powershell.exe
3056	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
Token: SeDebugPrivilege	5004	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
Token: SeDebugPrivilege	3056	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe

C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
"C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
  "C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe"
  2⤵
  PID:3076
- C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
  "C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe"
  2⤵
  PID:3876
- C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
  "C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe.log

Filesize
1KB

MD5
bb3d30439ec1e6435c3eac4df8c1d2e3

SHA1
c901d5946e53ae0a9e2417c8dfaf5786a0037422

SHA256
182adf89e57f80a92db9a5e13105cd59544f37855ca35f98116a0182ddd3b2e6

SHA512
d3547aadf665ce2552b3dfa350b80a5e813aa346870fb2b05a3b998096eebf563143bffe964e0f7243761b79420d1adf02f735779902901d1a41a1f35c557572

Download Submit
memory/3056-145-0x0000000005120000-0x0000000005142000-memory.dmp

Filesize
136KB

Download
memory/3056-144-0x0000000005380000-0x00000000059A8000-memory.dmp

Filesize
6.2MB

Download
memory/3056-142-0x0000000000000000-mapping.dmp

Download
memory/3056-151-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/3056-150-0x0000000002945000-0x0000000002947000-memory.dmp

Filesize
8KB

Download
memory/3056-149-0x0000000006610000-0x000000000662A000-memory.dmp

Filesize
104KB

Download
memory/3056-148-0x0000000007930000-0x0000000007FAA000-memory.dmp

Filesize
6.5MB

Download
memory/3056-143-0x0000000001000000-0x0000000001036000-memory.dmp

Filesize
216KB

Download
memory/3056-147-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/3056-152-0x00000000066D0000-0x00000000066F2000-memory.dmp

Filesize
136KB

Download
memory/3056-146-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/3076-136-0x0000000000000000-mapping.dmp

Download
memory/3876-137-0x0000000000000000-mapping.dmp

Download
memory/3940-130-0x0000000000730000-0x0000000000874000-memory.dmp

Filesize
1.3MB

Download
memory/3940-133-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/3940-131-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/3940-132-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/3940-135-0x0000000005520000-0x0000000005576000-memory.dmp

Filesize
344KB

Download
memory/3940-134-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/5004-139-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5004-138-0x0000000000000000-mapping.dmp

Download
memory/5004-141-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download

description	pid	process	target process
PID 3940 wrote to memory of 3076	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 3076	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 3076	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 3876	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 3876	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 3876	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 3940 wrote to memory of 5004	3940	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe
PID 5004 wrote to memory of 3056	5004	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	powershell.exe
PID 5004 wrote to memory of 3056	5004	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	powershell.exe
PID 5004 wrote to memory of 3056	5004	3c407667b6f2f4d37a823737a871b61a31d9269fafeb9197c72e04e0591f6897.exe	powershell.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads