masslogger | fa38f0ccd9bf16fc4a604e08edde30af5f42fe80e58c50a512351c8f786a7c12

General

Target

Purchase Enquiry.exe
Size

861KB
MD5

a2d838c6e251e6090ed3c6a3920f5f1c
SHA1

dd72443878e710ca004b7f9e69f6c35be633d48f
SHA256

0d882f1f12ca2d8198129db908eb0cef60a375ab3796950751fc2111a60f49a8
SHA512

8abd27283e8b05fb4a66c6769c18c5910dac9c3a37d002b38be55232312451c20d94408899aa17639b7a89120ccacf7a19555d1ebc149abbc0cddf35c090054d

Score

10^/10

masslogger collection spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1752-63-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1752-64-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1752-65-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1752-66-0x0000000000481BEE-mapping.dmp	family_masslogger
behavioral1/memory/1752-68-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger
behavioral1/memory/1752-70-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Enquiry.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	Purchase Enquiry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs

collection

Email Collection

T1114

Processes:

Purchase Enquiry.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Enquiry.exe

description pid process target process

PID 336 set thread context of 1752 336 Purchase Enquiry.exe Purchase Enquiry.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2032 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Purchase Enquiry.exe

pid process

1752 Purchase Enquiry.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Purchase Enquiry.exepowershell.exe

pid process

1752 Purchase Enquiry.exe
1752 Purchase Enquiry.exe
1752 Purchase Enquiry.exe
1752 Purchase Enquiry.exe
736 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Enquiry.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1752 Purchase Enquiry.exe
Token: SeDebugPrivilege 736 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Purchase Enquiry.exe

pid process

1752 Purchase Enquiry.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 336 set thread context of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe

pid	process
2032	schtasks.exe

pid	process
1752	Purchase Enquiry.exe

pid	process
1752	Purchase Enquiry.exe
1752	Purchase Enquiry.exe
1752	Purchase Enquiry.exe
1752	Purchase Enquiry.exe
736	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1752	Purchase Enquiry.exe
Token: SeDebugPrivilege	736	powershell.exe

pid	process
1752	Purchase Enquiry.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Purchase Enquiry.exePurchase Enquiry.exe

description	pid	process	target process
PID 336 wrote to memory of 2032	336	Purchase Enquiry.exe	schtasks.exe
PID 336 wrote to memory of 2032	336	Purchase Enquiry.exe	schtasks.exe
PID 336 wrote to memory of 2032	336	Purchase Enquiry.exe	schtasks.exe
PID 336 wrote to memory of 2032	336	Purchase Enquiry.exe	schtasks.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 336 wrote to memory of 1752	336	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 1752 wrote to memory of 736	1752	Purchase Enquiry.exe	powershell.exe
PID 1752 wrote to memory of 736	1752	Purchase Enquiry.exe	powershell.exe
PID 1752 wrote to memory of 736	1752	Purchase Enquiry.exe	powershell.exe
PID 1752 wrote to memory of 736	1752	Purchase Enquiry.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

Purchase Enquiry.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe

outlook_win_path 1 IoCs

Processes:

Purchase Enquiry.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xbGCKTyLmcr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF85.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFF85.tmp

Filesize
1KB

MD5
cc5a06553e510299e7646b301e18c7f2

SHA1
7c906b85a0898d3431576502d2a391eaad7adb34

SHA256
45d5e2385f11fd0ad4d03ff5f1c23b2125ab74e6d9895253b414bed010fa777c

SHA512
7fd638695e78c69c8ee43ba9d8935e177abfff931d10676c7b945e1d8be534ba951d2a1ccee69bd01a6db0ee7f50cc1c25918626410a448d89e244564b18e328

Download Submit
memory/336-54-0x0000000000DC0000-0x0000000000E9E000-memory.dmp

Filesize
888KB

Download
memory/336-55-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/336-56-0x0000000005560000-0x0000000005620000-memory.dmp

Filesize
768KB

Download
memory/336-57-0x0000000005010000-0x0000000005098000-memory.dmp

Filesize
544KB

Download
memory/736-75-0x0000000002302000-0x0000000002304000-memory.dmp

Filesize
8KB

Download
memory/736-74-0x000000006EF90000-0x000000006F53B000-memory.dmp

Filesize
5.7MB

Download
memory/736-73-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/736-71-0x0000000000000000-mapping.dmp

Download
memory/1752-68-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-65-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-66-0x0000000000481BEE-mapping.dmp

Download
memory/1752-64-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-70-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-63-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-72-0x0000000004E15000-0x0000000004E26000-memory.dmp

Filesize
68KB

Download
memory/1752-61-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1752-60-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2032-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads