masslogger | b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a

General

Target

b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe
Size

659KB
MD5

cfb1b53060223753fed8d9cac55b9aa9
SHA1

8c74700d2eceb7d60cb1ba5f2c14e4ed75f9f61e
SHA256

b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a
SHA512

24f3758e16616b00d19d68291971bb75967b0560b9922b5f0d584afb538d4acd435cdd7c56f9271eee3d11bec5b0410b1a2b51f9a7becae7207e2c46cc83dc40

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2444-138-0x0000000000750000-0x00000000007D6000-memory.dmp	family_masslogger

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2444 svhost.exe

pid	process
2444	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe

description	pid	process	target process
PID 4308 set thread context of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exesvhost.exepowershell.exe

pid process

4308 b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe
2444 svhost.exe
2444 svhost.exe
1648 powershell.exe
1648 powershell.exe

pid	process
4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe
2444	svhost.exe
2444	svhost.exe
1648	powershell.exe
1648	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exesvhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe
Token: 33	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe
Token: SeIncBasePriorityPrivilege	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe
Token: SeDebugPrivilege	2444	svhost.exe
Token: SeDebugPrivilege	1648	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exesvhost.exe

description	pid	process	target process
PID 4308 wrote to memory of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe
PID 4308 wrote to memory of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe
PID 4308 wrote to memory of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe
PID 4308 wrote to memory of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe
PID 4308 wrote to memory of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe
PID 4308 wrote to memory of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe
PID 4308 wrote to memory of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe
PID 4308 wrote to memory of 2444	4308	b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe	svhost.exe
PID 2444 wrote to memory of 1648	2444	svhost.exe	powershell.exe
PID 2444 wrote to memory of 1648	2444	svhost.exe	powershell.exe
PID 2444 wrote to memory of 1648	2444	svhost.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe
"C:\Users\Admin\AppData\Local\Temp\b770e8a6e3fa734aef0f401a988cfbe6925ac4da81c76f7dc4b0e8d1d105227a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
memory/1648-143-0x0000000004E80000-0x0000000004EA2000-memory.dmp

Filesize
136KB

Download
memory/1648-149-0x0000000006400000-0x0000000006422000-memory.dmp

Filesize
136KB

Download
memory/1648-148-0x0000000006EE0000-0x0000000006F76000-memory.dmp

Filesize
600KB

Download
memory/1648-147-0x0000000006340000-0x000000000635A000-memory.dmp

Filesize
104KB

Download
memory/1648-146-0x00000000074C0000-0x0000000007B3A000-memory.dmp

Filesize
6.5MB

Download
memory/1648-145-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/1648-144-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/1648-140-0x0000000000000000-mapping.dmp

Download
memory/1648-141-0x0000000004880000-0x00000000048B6000-memory.dmp

Filesize
216KB

Download
memory/1648-142-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/2444-134-0x0000000000000000-mapping.dmp

Download
memory/2444-139-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/2444-138-0x0000000000750000-0x00000000007D6000-memory.dmp

Filesize
536KB

Download
memory/4308-130-0x0000000000F40000-0x0000000000FEA000-memory.dmp

Filesize
680KB

Download
memory/4308-133-0x0000000005AF0000-0x0000000005B8C000-memory.dmp

Filesize
624KB

Download
memory/4308-132-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/4308-131-0x0000000006270000-0x0000000006814000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads