masslogger | fa38f0ccd9bf16fc4a604e08edde30af5f42fe80e58c50a512351c8f786a7c12

General

Target

Purchase Enquiry.exe
Size

861KB
MD5

a2d838c6e251e6090ed3c6a3920f5f1c
SHA1

dd72443878e710ca004b7f9e69f6c35be633d48f
SHA256

0d882f1f12ca2d8198129db908eb0cef60a375ab3796950751fc2111a60f49a8
SHA512

8abd27283e8b05fb4a66c6769c18c5910dac9c3a37d002b38be55232312451c20d94408899aa17639b7a89120ccacf7a19555d1ebc149abbc0cddf35c090054d

Score

10^/10

masslogger collection spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3748-139-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Enquiry.exePurchase Enquiry.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Purchase Enquiry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Purchase Enquiry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

Purchase Enquiry.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	Purchase Enquiry.exe
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Purchase Enquiry.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Enquiry.exe

description pid process target process

PID 2172 set thread context of 3748 2172 Purchase Enquiry.exe Purchase Enquiry.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4200 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Purchase Enquiry.exe

pid process

3748 Purchase Enquiry.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Purchase Enquiry.exepowershell.exe

pid process

3748 Purchase Enquiry.exe
3748 Purchase Enquiry.exe
3748 Purchase Enquiry.exe
3748 Purchase Enquiry.exe
2704 powershell.exe
2704 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Enquiry.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3748 Purchase Enquiry.exe
Token: SeDebugPrivilege 2704 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Purchase Enquiry.exe

pid process

3748 Purchase Enquiry.exe

flow	ioc
28	api.ipify.org

description	pid	process	target process
PID 2172 set thread context of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe

pid	process
4200	schtasks.exe

pid	process
3748	Purchase Enquiry.exe

pid	process
3748	Purchase Enquiry.exe
3748	Purchase Enquiry.exe
3748	Purchase Enquiry.exe
3748	Purchase Enquiry.exe
2704	powershell.exe
2704	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3748	Purchase Enquiry.exe
Token: SeDebugPrivilege	2704	powershell.exe

pid	process
3748	Purchase Enquiry.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Purchase Enquiry.exePurchase Enquiry.exe

description	pid	process	target process
PID 2172 wrote to memory of 4200	2172	Purchase Enquiry.exe	schtasks.exe
PID 2172 wrote to memory of 4200	2172	Purchase Enquiry.exe	schtasks.exe
PID 2172 wrote to memory of 4200	2172	Purchase Enquiry.exe	schtasks.exe
PID 2172 wrote to memory of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 2172 wrote to memory of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 2172 wrote to memory of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 2172 wrote to memory of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 2172 wrote to memory of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 2172 wrote to memory of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 2172 wrote to memory of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 2172 wrote to memory of 3748	2172	Purchase Enquiry.exe	Purchase Enquiry.exe
PID 3748 wrote to memory of 2704	3748	Purchase Enquiry.exe	powershell.exe
PID 3748 wrote to memory of 2704	3748	Purchase Enquiry.exe	powershell.exe
PID 3748 wrote to memory of 2704	3748	Purchase Enquiry.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

Purchase Enquiry.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe

outlook_win_path 1 IoCs

Processes:

Purchase Enquiry.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Enquiry.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xbGCKTyLmcr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp662C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4200
- C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Purchase Enquiry.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp662C.tmp

Filesize
1KB

MD5
30eb7bcba1baa81b3ead180cb219e28f

SHA1
64b17d9929280aae9919abcebc8a543cddcea66c

SHA256
6878864a1ebbfc8e30ccc381a2306337206e15e436c9ecfb3333f7df2ee890e7

SHA512
fa1b3003c08c6ec9f0d37821e227405a1e2897a7c08a02a71d423b916df2ea1dc4b3e2f79d8e69d3cdd4284b8aff6e1c40ea7b6d143fd7fcb4a7737f2c3501e5

Download Submit
memory/2172-131-0x0000000005330000-0x00000000053CC000-memory.dmp

Filesize
624KB

Download
memory/2172-132-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/2172-133-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/2172-134-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/2172-135-0x0000000005510000-0x0000000005566000-memory.dmp

Filesize
344KB

Download
memory/2172-130-0x00000000009E0000-0x0000000000ABE000-memory.dmp

Filesize
888KB

Download
memory/2704-151-0x000000006FB10000-0x000000006FB5C000-memory.dmp

Filesize
304KB

Download
memory/2704-148-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/2704-159-0x0000000007D50000-0x0000000007D58000-memory.dmp

Filesize
32KB

Download
memory/2704-158-0x0000000007D70000-0x0000000007D8A000-memory.dmp

Filesize
104KB

Download
memory/2704-141-0x0000000000000000-mapping.dmp

Download
memory/2704-157-0x0000000007C70000-0x0000000007C7E000-memory.dmp

Filesize
56KB

Download
memory/2704-143-0x0000000005150000-0x0000000005186000-memory.dmp

Filesize
216KB

Download
memory/2704-156-0x0000000007CB0000-0x0000000007D46000-memory.dmp

Filesize
600KB

Download
memory/2704-145-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/2704-146-0x0000000005F00000-0x0000000005F22000-memory.dmp

Filesize
136KB

Download
memory/2704-147-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/2704-155-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

Filesize
40KB

Download
memory/2704-149-0x0000000005215000-0x0000000005217000-memory.dmp

Filesize
8KB

Download
memory/2704-150-0x00000000078D0000-0x0000000007902000-memory.dmp

Filesize
200KB

Download
memory/2704-154-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/2704-152-0x0000000005490000-0x00000000054AE000-memory.dmp

Filesize
120KB

Download
memory/2704-153-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/3748-138-0x0000000000000000-mapping.dmp

Download
memory/3748-144-0x0000000004FD3000-0x0000000004FD5000-memory.dmp

Filesize
8KB

Download
memory/3748-142-0x0000000006AA0000-0x0000000006AF0000-memory.dmp

Filesize
320KB

Download
memory/3748-140-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/3748-139-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4200-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads