masslogger | 7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74

General

Target

7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe
Size

956KB
MD5

61d1229b0d488254e427690371417bad
SHA1

a5b44ab6d137d29a46b38926b95c6d3c70fb6c8d
SHA256

7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74
SHA512

5f865181f4b1d683c51f5e044f12be4987a3fbf4047d7f424f7805f3d350298f0b889910f9be423f5b8a5912dd137dced5f9e4c84575199edfd73d28d1ff1b27

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5104-136-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe

description	pid	process	target process
PID 4412 set thread context of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exeMSBuild.exepowershell.exe

pid	process
4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe
4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe
4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe
5104	MSBuild.exe
5104	MSBuild.exe
460	powershell.exe
460	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exeMSBuild.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe
Token: SeDebugPrivilege	5104	MSBuild.exe
Token: SeDebugPrivilege	460	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exeMSBuild.exe

description	pid	process	target process
PID 4412 wrote to memory of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe
PID 4412 wrote to memory of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe
PID 4412 wrote to memory of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe
PID 4412 wrote to memory of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe
PID 4412 wrote to memory of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe
PID 4412 wrote to memory of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe
PID 4412 wrote to memory of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe
PID 4412 wrote to memory of 5104	4412	7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe	MSBuild.exe
PID 5104 wrote to memory of 460	5104	MSBuild.exe	powershell.exe
PID 5104 wrote to memory of 460	5104	MSBuild.exe	powershell.exe
PID 5104 wrote to memory of 460	5104	MSBuild.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe
"C:\Users\Admin\AppData\Local\Temp\7cd8e8bdf19cbdf511d7807ff8233413c544efeb9518e2171a4151790e9d2f74.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/460-142-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/460-141-0x00000000051E0000-0x0000000005202000-memory.dmp

Filesize
136KB

Download
memory/460-139-0x0000000002690000-0x00000000026C6000-memory.dmp

Filesize
216KB

Download
memory/460-140-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/460-138-0x0000000000000000-mapping.dmp

Download
memory/460-146-0x0000000007010000-0x00000000070A6000-memory.dmp

Filesize
600KB

Download
memory/460-145-0x0000000006490000-0x00000000064AA000-memory.dmp

Filesize
104KB

Download
memory/460-144-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/460-147-0x0000000006570000-0x0000000006592000-memory.dmp

Filesize
136KB

Download
memory/460-143-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

Filesize
120KB

Download
memory/4412-132-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4412-133-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download
memory/4412-130-0x0000000000BB0000-0x0000000000CA6000-memory.dmp

Filesize
984KB

Download
memory/4412-131-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/4412-134-0x000000000E3C0000-0x000000000E45C000-memory.dmp

Filesize
624KB

Download
memory/5104-137-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/5104-136-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5104-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads