masslogger | 282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600

General

Target

282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
Size

987KB
MD5

0ced1954e108922776299f72f9f753a9
SHA1

7b7a7ad5cdfbdabc75dae2da28f291fef7d85740
SHA256

282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600
SHA512

eeca6bbca568c94fd935c1ad6e26fc8f6728737f6443bdfd4f51a9fde72a594595bb7c39ad20eb91881968e9d6de4dc49bebe8bfeaa0796701a5682ce22a70e4

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4092-135-0x0000000000B70000-0x0000000000BF6000-memory.dmp	family_masslogger
behavioral2/memory/4092-134-0x0000000000B70000-0x0000000000BF6000-memory.dmp	family_masslogger

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wowowow.vbs notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wowowow.vbs	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe

description	pid	process	target process
PID 5068 set thread context of 4092	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exepowershell.exe

pid	process
5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
4092	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
4092	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
4920	powershell.exe
4920	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe

pid process

5068 282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4092	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
Token: SeDebugPrivilege	4920	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe

description	pid	process	target process
PID 5068 wrote to memory of 1916	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	notepad.exe
PID 5068 wrote to memory of 1916	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	notepad.exe
PID 5068 wrote to memory of 1916	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	notepad.exe
PID 5068 wrote to memory of 1916	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	notepad.exe
PID 5068 wrote to memory of 1916	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	notepad.exe
PID 5068 wrote to memory of 4092	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
PID 5068 wrote to memory of 4092	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
PID 5068 wrote to memory of 4092	5068	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
PID 4092 wrote to memory of 4920	4092	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	powershell.exe
PID 4092 wrote to memory of 4920	4092	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	powershell.exe
PID 4092 wrote to memory of 4920	4092	282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
"C:\Users\Admin\AppData\Local\Temp\282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
PID:1916

C:\Users\Admin\AppData\Local\Temp\282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe
"C:\Users\Admin\AppData\Local\Temp\282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\282205512cc88189b523d3a7dd187ebf548e5771f110acb55ebf507b01f3e600.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1916-132-0x0000000000000000-mapping.dmp

Download
memory/4092-138-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/4092-133-0x0000000000000000-mapping.dmp

Download
memory/4092-135-0x0000000000B70000-0x0000000000BF6000-memory.dmp

Filesize
536KB

Download
memory/4092-134-0x0000000000B70000-0x0000000000BF6000-memory.dmp

Filesize
536KB

Download
memory/4092-136-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/4092-137-0x0000000004E50000-0x00000000053F4000-memory.dmp

Filesize
5.6MB

Download
memory/4920-139-0x0000000000000000-mapping.dmp

Download
memory/4920-140-0x0000000002FF0000-0x0000000003026000-memory.dmp

Filesize
216KB

Download
memory/4920-141-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/4920-142-0x0000000005930000-0x0000000005952000-memory.dmp

Filesize
136KB

Download
memory/4920-143-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/4920-144-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/4920-145-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/4920-146-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/4920-147-0x0000000007B70000-0x0000000007C06000-memory.dmp

Filesize
600KB

Download
memory/4920-148-0x0000000006EB0000-0x0000000006ED2000-memory.dmp

Filesize
136KB

Download
memory/5068-131-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads