masslogger | b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

General

Target

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
Size

1.0MB
MD5

8802b4bf7ac58aacf4e9c21e90b79df7
SHA1

d60038c985976958202eaa6326e222e418865863
SHA256

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e
SHA512

89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

Score

10^/10

masslogger evasion spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4964-138-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

hostlasco.exehostlasco.exe

pid process

4412 hostlasco.exe
3512 hostlasco.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
4412	hostlasco.exe
3512	hostlasco.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exehostlasco.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hostlasco.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hostlasco.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org

flow	ioc
11	api.ipify.org

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exehostlasco.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	hostlasco.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	hostlasco.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exehostlasco.exe

description	pid	process	target process
PID 4720 set thread context of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4412 set thread context of 3512	4412	hostlasco.exe	hostlasco.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4472 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4528 timeout.exe

pid	process
4472	schtasks.exe

pid	process
4528	timeout.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exeb78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exehostlasco.exehostlasco.exe

pid	process
4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
4412	hostlasco.exe
4412	hostlasco.exe
3512	hostlasco.exe
3512	hostlasco.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exeb78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exehostlasco.exehostlasco.exe

description	pid	process
Token: SeDebugPrivilege	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
Token: SeDebugPrivilege	4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
Token: SeDebugPrivilege	4412	hostlasco.exe
Token: SeDebugPrivilege	3512	hostlasco.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exeb78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.execmd.execmd.exehostlasco.exe

description	pid	process	target process
PID 4720 wrote to memory of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4720 wrote to memory of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4720 wrote to memory of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4720 wrote to memory of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4720 wrote to memory of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4720 wrote to memory of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4720 wrote to memory of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4720 wrote to memory of 4964	4720	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
PID 4964 wrote to memory of 4112	4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	cmd.exe
PID 4964 wrote to memory of 4112	4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	cmd.exe
PID 4964 wrote to memory of 4112	4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	cmd.exe
PID 4964 wrote to memory of 4276	4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	cmd.exe
PID 4964 wrote to memory of 4276	4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	cmd.exe
PID 4964 wrote to memory of 4276	4964	b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe	cmd.exe
PID 4112 wrote to memory of 4472	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 4472	4112	cmd.exe	schtasks.exe
PID 4112 wrote to memory of 4472	4112	cmd.exe	schtasks.exe
PID 4276 wrote to memory of 4528	4276	cmd.exe	timeout.exe
PID 4276 wrote to memory of 4528	4276	cmd.exe	timeout.exe
PID 4276 wrote to memory of 4528	4276	cmd.exe	timeout.exe
PID 4276 wrote to memory of 4412	4276	cmd.exe	hostlasco.exe
PID 4276 wrote to memory of 4412	4276	cmd.exe	hostlasco.exe
PID 4276 wrote to memory of 4412	4276	cmd.exe	hostlasco.exe
PID 4412 wrote to memory of 3512	4412	hostlasco.exe	hostlasco.exe
PID 4412 wrote to memory of 3512	4412	hostlasco.exe	hostlasco.exe
PID 4412 wrote to memory of 3512	4412	hostlasco.exe	hostlasco.exe
PID 4412 wrote to memory of 3512	4412	hostlasco.exe	hostlasco.exe
PID 4412 wrote to memory of 3512	4412	hostlasco.exe	hostlasco.exe
PID 4412 wrote to memory of 3512	4412	hostlasco.exe	hostlasco.exe
PID 4412 wrote to memory of 3512	4412	hostlasco.exe	hostlasco.exe
PID 4412 wrote to memory of 3512	4412	hostlasco.exe	hostlasco.exe

C:\Users\Admin\AppData\Local\Temp\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
"C:\Users\Admin\AppData\Local\Temp\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe
  "C:\Users\Admin\AppData\Local\Temp\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn hostlasco.exe /tr '"C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn hostlasco.exe /tr '"C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
      "C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe
        
        "C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e.exe.log

Filesize
1KB

MD5
39c80e11c25478a5d6863f9ec7c44834

SHA1
f29c08656792b274ef6da35b0071fa93e45ca940

SHA256
7a0cb24b4ab253688e19c863fa1d2da3c640228fa53e7aacc78b22fb7a6c4c99

SHA512
8095d6f3d95d783d37aee06e7d2d3b15a80e5898ee9029c65c8ba609ca19ba10719c0f0e7206a7a1e1b739339921c7268f5e9f473869d5a1f0c4d8fb82fea18a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hostlasco.exe.log

Filesize
1KB

MD5
39c80e11c25478a5d6863f9ec7c44834

SHA1
f29c08656792b274ef6da35b0071fa93e45ca940

SHA256
7a0cb24b4ab253688e19c863fa1d2da3c640228fa53e7aacc78b22fb7a6c4c99

SHA512
8095d6f3d95d783d37aee06e7d2d3b15a80e5898ee9029c65c8ba609ca19ba10719c0f0e7206a7a1e1b739339921c7268f5e9f473869d5a1f0c4d8fb82fea18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe

Filesize
1.0MB

MD5
8802b4bf7ac58aacf4e9c21e90b79df7

SHA1
d60038c985976958202eaa6326e222e418865863

SHA256
b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

SHA512
89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe

Filesize
1.0MB

MD5
8802b4bf7ac58aacf4e9c21e90b79df7

SHA1
d60038c985976958202eaa6326e222e418865863

SHA256
b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

SHA512
89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\submaild\hostlasco.exe

Filesize
1.0MB

MD5
8802b4bf7ac58aacf4e9c21e90b79df7

SHA1
d60038c985976958202eaa6326e222e418865863

SHA256
b78442ab204b03b70021c64336e5b1481ef2ecda74d6d6cead0af13fc1d9b44e

SHA512
89fcf9ab5af4401745d858dac2476d1ebff1e2a58cd6174ad3898054d96451991786763770020d25c79094447724f7d14ecd2ebaf4e7141bf8f50fa52f7f3f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.bat

Filesize
165B

MD5
dd28318bd65a010d4b4fee3d703d3a43

SHA1
addf4f96edc642e23a46637b28b055b05058570e

SHA256
edceb70a08473fbc9087354b6c3261dfa4bd2e7e50f0a0649afdb0762dabb39b

SHA512
c5aef54ae9273c5ef4d789208cbb6f3e782c0aa6e87df13c5345af343589cb345d2e1cf7278f6c945491c0cae61106311d240e257b208094f28937ba5b2732b1

Download Submit
memory/3512-149-0x0000000000000000-mapping.dmp

Download
memory/4112-141-0x0000000000000000-mapping.dmp

Download
memory/4276-142-0x0000000000000000-mapping.dmp

Download
memory/4412-146-0x0000000000000000-mapping.dmp

Download
memory/4472-144-0x0000000000000000-mapping.dmp

Download
memory/4528-145-0x0000000000000000-mapping.dmp

Download
memory/4720-135-0x00000000085E0000-0x0000000008636000-memory.dmp

Filesize
344KB

Download
memory/4720-136-0x00000000091A0000-0x0000000009206000-memory.dmp

Filesize
408KB

Download
memory/4720-130-0x0000000000FC0000-0x00000000010D2000-memory.dmp

Filesize
1.1MB

Download
memory/4720-134-0x0000000008370000-0x000000000837A000-memory.dmp

Filesize
40KB

Download
memory/4720-133-0x00000000083F0000-0x0000000008482000-memory.dmp

Filesize
584KB

Download
memory/4720-132-0x0000000008900000-0x0000000008EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4720-131-0x00000000082B0000-0x000000000834C000-memory.dmp

Filesize
624KB

Download
memory/4964-140-0x0000000004E53000-0x0000000004E55000-memory.dmp

Filesize
8KB

Download
memory/4964-138-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4964-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads