masslogger | ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f

General

Target

ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe
Size

1.1MB
MD5

2db21d61d37712d83a0c44dc9eae8ae8
SHA1

1e48335707a769cfeef577750c411a3777ececb4
SHA256

ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f
SHA512

d72565ccbc05b94bd01814f1d930429f7f077753a8d3fcb4132224cb8ba43bcd7de86d2edf6d2be8cf63eb54a94ba6ed943ac6b2ef8fb2db7c9963e7db2a8582

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1352-61-0x0000000004800000-0x0000000004886000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1952	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe
1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe
1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe
1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe
1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe
1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1952	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe	27
PID 1352 wrote to memory of 1952	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe	27
PID 1352 wrote to memory of 1952	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe	27
PID 1352 wrote to memory of 1952	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe	27
PID 1352 wrote to memory of 1512	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe	30
PID 1352 wrote to memory of 1512	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe	30
PID 1352 wrote to memory of 1512	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe	30
PID 1352 wrote to memory of 1512	1352	ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe	30

C:\Users\Admin\AppData\Local\Temp\ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe
"C:\Users\Admin\AppData\Local\Temp\ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zCaIIpkruTk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp88B1.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ab3b1f4c788168d606c3cc571546660e41d39f6ca4fb3bcfd16a851889be4c0f.exe'
  2⤵
  PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp88B1.tmp

Filesize
1KB

MD5
543943a0bfe2979f647db6faca38111d

SHA1
82989c53f679751e92514db4d529229ecb9bccef

SHA256
3f749cdd00417a0fe34f3679deae8c6f3bde00a8d0e38326762f7b6bc777ae99

SHA512
203aec865ea436d155cd8d836b197615e8904064f49d4d71bf5843db4a373596a206289d3610352cf7a719ca42fbc538c76b19508c3b685167c90cd37b554934

Download Submit
memory/1352-54-0x0000000000F20000-0x0000000001042000-memory.dmp

Filesize
1.1MB

Download
memory/1352-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1352-56-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/1352-57-0x0000000005530000-0x00000000055E8000-memory.dmp

Filesize
736KB

Download
memory/1352-58-0x0000000006190000-0x0000000006246000-memory.dmp

Filesize
728KB

Download
memory/1352-61-0x0000000004800000-0x0000000004886000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads