masslogger | 99d55ebeea7a36f5c9549b16ee65675a327edb4c2e43833f3a94a2fd6d200f39

General

Target

Shipping Doc 3454.exe
Size

970KB
MD5

ff65414919a5ca429bd872a4f5ae696a
SHA1

3cbfcdb8b5f7bcab7bd09125627228bee497faba
SHA256

4b174227ea49d30f3378e8469d9849015779d6d3da73333ad0b386411bfade20
SHA512

6177b8c413aa14ad5ec49b9b71a59d89a53ffc10dcdb2a76a8ec64cdfe3541776f841f501da04d6aad1a7c64c4a44904f5f30bb6051feb2c3a5bc51d12c2e0cd

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3832-140-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3656 set thread context of 3832	3656	Shipping Doc 3454.exe	88

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3656	Shipping Doc 3454.exe
3656	Shipping Doc 3454.exe
3656	Shipping Doc 3454.exe
3656	Shipping Doc 3454.exe
3656	Shipping Doc 3454.exe
3656	Shipping Doc 3454.exe
3832	Shipping Doc 3454.exe
3832	Shipping Doc 3454.exe
1408	powershell.exe
1408	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3656	Shipping Doc 3454.exe
Token: SeDebugPrivilege	3832	Shipping Doc 3454.exe
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 2032	3656	Shipping Doc 3454.exe	85
PID 3656 wrote to memory of 2032	3656	Shipping Doc 3454.exe	85
PID 3656 wrote to memory of 2032	3656	Shipping Doc 3454.exe	85
PID 3656 wrote to memory of 2416	3656	Shipping Doc 3454.exe	86
PID 3656 wrote to memory of 2416	3656	Shipping Doc 3454.exe	86
PID 3656 wrote to memory of 2416	3656	Shipping Doc 3454.exe	86
PID 3656 wrote to memory of 3644	3656	Shipping Doc 3454.exe	87
PID 3656 wrote to memory of 3644	3656	Shipping Doc 3454.exe	87
PID 3656 wrote to memory of 3644	3656	Shipping Doc 3454.exe	87
PID 3656 wrote to memory of 3832	3656	Shipping Doc 3454.exe	88
PID 3656 wrote to memory of 3832	3656	Shipping Doc 3454.exe	88
PID 3656 wrote to memory of 3832	3656	Shipping Doc 3454.exe	88
PID 3656 wrote to memory of 3832	3656	Shipping Doc 3454.exe	88
PID 3656 wrote to memory of 3832	3656	Shipping Doc 3454.exe	88
PID 3656 wrote to memory of 3832	3656	Shipping Doc 3454.exe	88
PID 3656 wrote to memory of 3832	3656	Shipping Doc 3454.exe	88
PID 3656 wrote to memory of 3832	3656	Shipping Doc 3454.exe	88
PID 3832 wrote to memory of 1408	3832	Shipping Doc 3454.exe	89
PID 3832 wrote to memory of 1408	3832	Shipping Doc 3454.exe	89
PID 3832 wrote to memory of 1408	3832	Shipping Doc 3454.exe	89

C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe"
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe"
  2⤵
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe"
  2⤵
  PID:3644
- C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Shipping Doc 3454.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc 3454.exe.log

Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
memory/1408-147-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/1408-151-0x0000000007250000-0x00000000072E6000-memory.dmp

Filesize
600KB

Download
memory/1408-150-0x00000000064F0000-0x000000000650A000-memory.dmp

Filesize
104KB

Download
memory/1408-149-0x0000000007830000-0x0000000007EAA000-memory.dmp

Filesize
6.5MB

Download
memory/1408-148-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/1408-144-0x00000000026D0000-0x0000000002706000-memory.dmp

Filesize
216KB

Download
memory/1408-146-0x0000000005070000-0x0000000005092000-memory.dmp

Filesize
136KB

Download
memory/1408-145-0x0000000005160000-0x0000000005788000-memory.dmp

Filesize
6.2MB

Download
memory/1408-152-0x00000000071B0000-0x00000000071D2000-memory.dmp

Filesize
136KB

Download
memory/3656-135-0x0000000005670000-0x00000000056C6000-memory.dmp

Filesize
344KB

Download
memory/3656-130-0x0000000000A00000-0x0000000000AF8000-memory.dmp

Filesize
992KB

Download
memory/3656-134-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/3656-133-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/3656-132-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/3656-131-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/3832-141-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3832-140-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing