masslogger | ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b

General

Target

ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
Size

784KB
MD5

522a792f04d1da15ac115413b4fd93fa
SHA1

8ccbfc0cda92612e323cf17ac9df77e12fa40ace
SHA256

ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b
SHA512

73419a54c901169841099947d603bad7af811fd37fc2c5c01fcd5de74d18b03f7f817c6bae94dcb5096bcf939c3e1b9fede30d96f133863c77dfb25511c83da6

Score

10^/10

masslogger evasion spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1672-139-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe

description	pid	process	target process
PID 1344 set thread context of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exead35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exepowershell.exe

pid	process
1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
1672	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
1672	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
4228	powershell.exe
4228	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exead35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
Token: SeDebugPrivilege	1672	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
Token: SeDebugPrivilege	4228	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exead35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe

C:\Users\Admin\AppData\Local\Temp\ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
"C:\Users\Admin\AppData\Local\Temp\ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
"{path}"
2⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
"{path}"
2⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
memory/1344-130-0x00000000007C0000-0x0000000000888000-memory.dmp

Filesize
800KB

Download
memory/1344-131-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/1344-132-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/1344-133-0x00000000050F0000-0x00000000050FA000-memory.dmp

Filesize
40KB

Download
memory/1344-134-0x0000000007620000-0x00000000076BC000-memory.dmp

Filesize
624KB

Download
memory/1344-135-0x000000000D500000-0x000000000D566000-memory.dmp

Filesize
408KB

Download
memory/1672-138-0x0000000000000000-mapping.dmp

Download
memory/1672-139-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1724-136-0x0000000000000000-mapping.dmp

Download
memory/4228-140-0x0000000000000000-mapping.dmp

Download
memory/4228-142-0x0000000002C50000-0x0000000002C86000-memory.dmp

Filesize
216KB

Download
memory/4228-143-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/4228-144-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/4228-145-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/4228-146-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/4228-147-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/4228-148-0x0000000006A70000-0x0000000006A8A000-memory.dmp

Filesize
104KB

Download
memory/4228-149-0x00000000075F0000-0x0000000007686000-memory.dmp

Filesize
600KB

Download
memory/4228-150-0x0000000006B40000-0x0000000006B62000-memory.dmp

Filesize
136KB

Download
memory/4232-137-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1344 wrote to memory of 1724	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1724	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1724	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 4232	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 4232	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 4232	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1344 wrote to memory of 1672	1344	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe
PID 1672 wrote to memory of 4228	1672	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	powershell.exe
PID 1672 wrote to memory of 4228	1672	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	powershell.exe
PID 1672 wrote to memory of 4228	1672	ad35600b7390c8cb353fe9c623eb71df7fe0badbe2ae358b61a42b031b6e921b.exe	powershell.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads