masslogger | b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592

General

Target

b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
Size

824KB
MD5

5faca701184189e435ec2048d8a2044d
SHA1

5447fdb7ffb7a099a2f027c74a53cc137fc3c44d
SHA256

b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592
SHA512

49fff6399a1a8a1ba2ad93a863d41f9f1fa9650373be009e3bdfc6bd47849ffc9d279c3afd03da4f0cc846261b558deada472eaa9ca42d1c6c4c7e25610a5cce

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3756-139-0x0000000000400000-0x0000000000486000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe

description	pid	process	target process
PID 4744 set thread context of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4072 schtasks.exe

pid	process
4072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exeb134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exepowershell.exe

pid	process
4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
3756	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
3756	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
1356	powershell.exe
1356	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exeb134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
Token: SeDebugPrivilege	3756	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
Token: SeDebugPrivilege	1356	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exeb134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe

C:\Users\Admin\AppData\Local\Temp\b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
"C:\Users\Admin\AppData\Local\Temp\b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bBEKkPV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AC4.tmp"
2⤵
- Creates scheduled task(s)
PID:4072

C:\Users\Admin\AppData\Local\Temp\b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
"{path}"
2⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AC4.tmp

Filesize
1KB

MD5
e4fcd68dc7c9138110abbe0e485a67a1

SHA1
13818ef7c4805fe022cc53d0ea8e21d57134f8ae

SHA256
7bd00261a7897bb20085c5bf6aa791ea5ac98cbd952e7935c5a51baff01b3f8f

SHA512
45982da2f8b427cbc2293965518cfac6f39de917b4978ba5077eba694d1017c3f9c3b3ba4f737e2e3025f24f5e933de6e3402cbc212edfccc0d5c61dec8e0be0

Download Submit
memory/1356-149-0x00000000065E0000-0x00000000065FA000-memory.dmp

Filesize
104KB

Download
memory/1356-143-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

Filesize
216KB

Download
memory/1356-148-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/1356-147-0x0000000004DD0000-0x0000000004DEE000-memory.dmp

Filesize
120KB

Download
memory/1356-150-0x0000000007120000-0x00000000071B6000-memory.dmp

Filesize
600KB

Download
memory/1356-146-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/1356-145-0x00000000050A0000-0x00000000050C2000-memory.dmp

Filesize
136KB

Download
memory/1356-144-0x0000000005270000-0x0000000005898000-memory.dmp

Filesize
6.2MB

Download
memory/1356-141-0x0000000000000000-mapping.dmp

Download
memory/1356-151-0x0000000006650000-0x0000000006672000-memory.dmp

Filesize
136KB

Download
memory/2312-137-0x0000000000000000-mapping.dmp

Download
memory/3756-140-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/3756-139-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3756-138-0x0000000000000000-mapping.dmp

Download
memory/4072-135-0x0000000000000000-mapping.dmp

Download
memory/4744-130-0x00000000009B0000-0x0000000000A84000-memory.dmp

Filesize
848KB

Download
memory/4744-134-0x0000000008C00000-0x0000000008C9C000-memory.dmp

Filesize
624KB

Download
memory/4744-133-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/4744-132-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/4744-131-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download

description	pid	process	target process
PID 4744 wrote to memory of 4072	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	schtasks.exe
PID 4744 wrote to memory of 4072	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	schtasks.exe
PID 4744 wrote to memory of 4072	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	schtasks.exe
PID 4744 wrote to memory of 2312	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 2312	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 2312	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 4744 wrote to memory of 3756	4744	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe
PID 3756 wrote to memory of 1356	3756	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	powershell.exe
PID 3756 wrote to memory of 1356	3756	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	powershell.exe
PID 3756 wrote to memory of 1356	3756	b134fc241ecd93ac658ded7bdad5eaf5f600f255e3fc05c383c23aad8b045592.exe	powershell.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads