masslogger | f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64

General

Target

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
Size

1.2MB
MD5

93691c5a4445ff293229299f17d4c1f9
SHA1

d35793248343061d6b01718838de0023e8b20295
SHA256

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64
SHA512

a6bfd4e26771ad0e38ff20052cf9f3535185e4ec60d162a3c143f178ae679b55ff4d93b82a2b8e3a01937db4243af235d142ba9465288e34a79efc15b047b1e9

Score

10^/10

masslogger ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/20/2022 11:39:54 PM MassLogger Started: 5/20/2022 11:39:47 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-57-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-58-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-61-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-63-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-65-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-67-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-69-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-71-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-73-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-75-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-77-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-79-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-81-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-83-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-85-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-87-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-89-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-91-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-93-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-95-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-97-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-99-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-101-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-103-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-105-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-107-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-109-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-111-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-113-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-115-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-117-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger
behavioral1/memory/1792-119-0x0000000001EF0000-0x0000000001F98000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

description	pid	process	target process
PID 1376 set thread context of 1792	1376	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exef487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

pid	process
1376	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
1792	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

pid process

1376 f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

description pid process

Token: SeDebugPrivilege 1792 f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

description	pid	process
Token: SeDebugPrivilege	1792	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

description	pid	process	target process
PID 1376 wrote to memory of 1792	1376	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
PID 1376 wrote to memory of 1792	1376	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
PID 1376 wrote to memory of 1792	1376	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
PID 1376 wrote to memory of 1792	1376	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
"C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
"C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-56-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1792-87-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-69-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-58-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-61-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-55-0x0000000000566A20-mapping.dmp

Download
memory/1792-65-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-67-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-89-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-71-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-91-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-75-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-77-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-79-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-81-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-83-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-85-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-63-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-57-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-73-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-93-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-95-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-97-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-99-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-101-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-103-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-105-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-107-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-109-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-111-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-113-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-115-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-117-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-119-0x0000000001EF0000-0x0000000001F98000-memory.dmp

Filesize
672KB

Download
memory/1792-566-0x0000000004C85000-0x0000000004C96000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads