masslogger | c97a85b9365892a80cc4aa90617e23a9b4c9f60006cb3f6fa50e8b0608313cb8

General

Target

NEW ORDER-pdf.exe
Size

975KB
MD5

8d656218e53f2ad9c26305b758ba9aeb
SHA1

2d313b132c0cc280739a3dc9034c6d8891284f77
SHA256

779ef456127a144ebaa7485d4109add0574ec267fc350d4d3493d77631a56fde
SHA512

7d25a693230bc6a902ee81c084d0f7f894240bc674a870ce611e5d59bee6af62de4a5023ccb461caba8d7db4b82d37aad0de6c1bb1edc39b94a5752144375de2

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4196-137-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

NEW ORDER-pdf.exe

description pid process target process

PID 2764 set thread context of 4196 2764 NEW ORDER-pdf.exe NEW ORDER-pdf.exe

description	pid	process	target process
PID 2764 set thread context of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

NEW ORDER-pdf.exeNEW ORDER-pdf.exepowershell.exe

pid	process
2764	NEW ORDER-pdf.exe
2764	NEW ORDER-pdf.exe
2764	NEW ORDER-pdf.exe
2764	NEW ORDER-pdf.exe
2764	NEW ORDER-pdf.exe
4196	NEW ORDER-pdf.exe
4196	NEW ORDER-pdf.exe
220	powershell.exe
220	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

NEW ORDER-pdf.exeNEW ORDER-pdf.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2764	NEW ORDER-pdf.exe
Token: SeDebugPrivilege	4196	NEW ORDER-pdf.exe
Token: SeDebugPrivilege	220	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

NEW ORDER-pdf.exeNEW ORDER-pdf.exe

description	pid	process	target process
PID 2764 wrote to memory of 4108	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4108	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4108	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 2764 wrote to memory of 4196	2764	NEW ORDER-pdf.exe	NEW ORDER-pdf.exe
PID 4196 wrote to memory of 220	4196	NEW ORDER-pdf.exe	powershell.exe
PID 4196 wrote to memory of 220	4196	NEW ORDER-pdf.exe	powershell.exe
PID 4196 wrote to memory of 220	4196	NEW ORDER-pdf.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\NEW ORDER-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER-pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\NEW ORDER-pdf.exe
"{path}"
2⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\NEW ORDER-pdf.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\NEW ORDER-pdf.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER-pdf.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/220-145-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/220-144-0x0000000004CE0000-0x0000000004D46000-memory.dmp

Filesize
408KB

Download
memory/220-139-0x0000000000000000-mapping.dmp

Download
memory/220-148-0x0000000006CE0000-0x0000000006D76000-memory.dmp

Filesize
600KB

Download
memory/220-147-0x0000000006080000-0x000000000609A000-memory.dmp

Filesize
104KB

Download
memory/220-146-0x00000000072C0000-0x000000000793A000-memory.dmp

Filesize
6.5MB

Download
memory/220-143-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

Filesize
136KB

Download
memory/220-141-0x0000000002260000-0x0000000002296000-memory.dmp

Filesize
216KB

Download
memory/220-142-0x0000000004D80000-0x00000000053A8000-memory.dmp

Filesize
6.2MB

Download
memory/220-149-0x00000000061D0000-0x00000000061F2000-memory.dmp

Filesize
136KB

Download
memory/2764-133-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/2764-132-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/2764-130-0x0000000000570000-0x000000000066A000-memory.dmp

Filesize
1000KB

Download
memory/2764-134-0x0000000007570000-0x000000000760C000-memory.dmp

Filesize
624KB

Download
memory/2764-131-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/4108-135-0x0000000000000000-mapping.dmp

Download
memory/4196-138-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/4196-137-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4196-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads