masslogger | 267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864

General

Target

267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
Size

1.1MB
MD5

627a28f533e23ded6ae31d98a8976482
SHA1

7aaf1e14c7464250a995abb85b6dc87288a646f3
SHA256

267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864
SHA512

e69541a6592d4cd1fefa48b86f1eef3123cb81affdb8c8f0b1f2cdb5876b9b75daa2d5cd6cc5d4577e1c90a0e2adf3f2defbced180dd1d7b81a73bd2a2a999d8

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1120-132-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe

description	pid	process	target process
PID 4404 set thread context of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe

pid	process
4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
Token: SeRestorePrivilege	2968	dw20.exe
Token: SeBackupPrivilege	2968	dw20.exe
Token: SeBackupPrivilege	2968	dw20.exe
Token: SeBackupPrivilege	2968	dw20.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe

description	pid	process	target process
PID 4404 wrote to memory of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
PID 4404 wrote to memory of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
PID 4404 wrote to memory of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
PID 4404 wrote to memory of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
PID 4404 wrote to memory of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
PID 4404 wrote to memory of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
PID 4404 wrote to memory of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
PID 4404 wrote to memory of 1120	4404	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
PID 1120 wrote to memory of 2968	1120	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	dw20.exe
PID 1120 wrote to memory of 2968	1120	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	dw20.exe
PID 1120 wrote to memory of 2968	1120	267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
"C:\Users\Admin\AppData\Local\Temp\267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 772
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\267763c03bf9ff7462b4b36ecc2f2fcaae977d9e53e3340eaead641a4c18b864.exe.log

Filesize
496B

MD5
cb76b18ebed3a9f05a14aed43d35fba6

SHA1
836a4b4e351846fca08b84149cb734cb59b8c0d6

SHA256
8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

SHA512
7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

Download Submit
memory/1120-131-0x0000000000000000-mapping.dmp

Download
memory/1120-132-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1120-135-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2968-134-0x0000000000000000-mapping.dmp

Download
memory/4404-130-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads