masslogger | 0708ae21c945e7a47d303c2a0bb4dcbe19f21ddf7e2737f99bb08989fd7cf99d

General

Target

PO#7543.exe
Size

1.0MB
MD5

5aa8483a8c628f34d66a2f29a205ba93
SHA1

02fe589f59943e848bffb0ddd6a3aacd507a8cc2
SHA256

3909d98e17a32e0f29fbe151a84907b5319b2f8317ba04a8c55ad9668db37e3b
SHA512

878f4e43a5ef631f81edfdd5c1984daa94610aeb24f82502e4a65bcd31e486071b1fcf9c5a950e47e74d93f43754549e8139155cc408b1ddd9c20564e5eb8e82

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2924-136-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO#7543.exe

description pid process target process

PID 2772 set thread context of 2924 2772 PO#7543.exe PO#7543.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

PO#7543.exePO#7543.exepowershell.exe

pid process

2772 PO#7543.exe
2772 PO#7543.exe
2772 PO#7543.exe
2924 PO#7543.exe
2924 PO#7543.exe
4572 powershell.exe
4572 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO#7543.exePO#7543.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2772 PO#7543.exe
Token: SeDebugPrivilege 2924 PO#7543.exe
Token: SeDebugPrivilege 4572 powershell.exe

description	pid	process	target process
PID 2772 set thread context of 2924	2772	PO#7543.exe	PO#7543.exe

pid	process
2772	PO#7543.exe
2772	PO#7543.exe
2772	PO#7543.exe
2924	PO#7543.exe
2924	PO#7543.exe
4572	powershell.exe
4572	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2772	PO#7543.exe
Token: SeDebugPrivilege	2924	PO#7543.exe
Token: SeDebugPrivilege	4572	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

PO#7543.exePO#7543.exe

description	pid	process	target process
PID 2772 wrote to memory of 2924	2772	PO#7543.exe	PO#7543.exe
PID 2772 wrote to memory of 2924	2772	PO#7543.exe	PO#7543.exe
PID 2772 wrote to memory of 2924	2772	PO#7543.exe	PO#7543.exe
PID 2772 wrote to memory of 2924	2772	PO#7543.exe	PO#7543.exe
PID 2772 wrote to memory of 2924	2772	PO#7543.exe	PO#7543.exe
PID 2772 wrote to memory of 2924	2772	PO#7543.exe	PO#7543.exe
PID 2772 wrote to memory of 2924	2772	PO#7543.exe	PO#7543.exe
PID 2772 wrote to memory of 2924	2772	PO#7543.exe	PO#7543.exe
PID 2924 wrote to memory of 4572	2924	PO#7543.exe	powershell.exe
PID 2924 wrote to memory of 4572	2924	PO#7543.exe	powershell.exe
PID 2924 wrote to memory of 4572	2924	PO#7543.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO#7543.exe
"C:\Users\Admin\AppData\Local\Temp\PO#7543.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\PO#7543.exe
"C:\Users\Admin\AppData\Local\Temp\PO#7543.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO#7543.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#7543.exe.log

Filesize
1KB

MD5
21e594849d9d68d6e77d327848021e5c

SHA1
812590cb60e0e7d11f0350ea46a484a2758178c2

SHA256
b503f7214e23e0c8881eba99991af376427074bd9410e2a52fcf009b0a73db9e

SHA512
8c63c8ae84d626869f93af20a5dcc46fd26cdf4573848631adfe905313dea255d3c2337f7d45a63e72dc9297c60d7a18107bbf72b34e4b448109797aaa50377a

Download Submit
memory/2772-131-0x0000000008210000-0x00000000087B4000-memory.dmp

Filesize
5.6MB

Download
memory/2772-132-0x0000000007E10000-0x0000000007EA2000-memory.dmp

Filesize
584KB

Download
memory/2772-133-0x0000000007F50000-0x0000000007FEC000-memory.dmp

Filesize
624KB

Download
memory/2772-134-0x0000000007ED0000-0x0000000007EDA000-memory.dmp

Filesize
40KB

Download
memory/2772-130-0x0000000000AF0000-0x0000000000C06000-memory.dmp

Filesize
1.1MB

Download
memory/2924-138-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/2924-136-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2924-135-0x0000000000000000-mapping.dmp

Download
memory/4572-139-0x0000000000000000-mapping.dmp

Download
memory/4572-140-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

Filesize
216KB

Download
memory/4572-141-0x0000000005120000-0x0000000005748000-memory.dmp

Filesize
6.2MB

Download
memory/4572-142-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/4572-143-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/4572-144-0x0000000004DA0000-0x0000000004DBE000-memory.dmp

Filesize
120KB

Download
memory/4572-145-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/4572-146-0x0000000006510000-0x000000000652A000-memory.dmp

Filesize
104KB

Download
memory/4572-147-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/4572-148-0x00000000065D0000-0x00000000065F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads