masslogger | f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64

Analysis

max time kernel
98s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
Size

1.2MB
MD5

93691c5a4445ff293229299f17d4c1f9
SHA1

d35793248343061d6b01718838de0023e8b20295
SHA256

f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64
SHA512

a6bfd4e26771ad0e38ff20052cf9f3535185e4ec60d162a3c143f178ae679b55ff4d93b82a2b8e3a01937db4243af235d142ba9465288e34a79efc15b047b1e9

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 33 IoCs

resource	yara_rule
behavioral2/memory/4312-132-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-133-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-135-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-137-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-139-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-141-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-143-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-145-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-147-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-149-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-151-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-153-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-155-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-157-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-159-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-161-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-163-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-165-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-167-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-169-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-171-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-173-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-175-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-177-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-179-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-181-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-183-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-185-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-187-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-189-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-191-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-195-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger
behavioral2/memory/4312-193-0x0000000000BF0000-0x0000000000C98000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3544 set thread context of 4312	3544	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	79

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3544	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
3544	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
1508	powershell.exe
1508	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3544	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
Token: SeDebugPrivilege	1508	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 4312	3544	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	79
PID 3544 wrote to memory of 4312	3544	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	79
PID 3544 wrote to memory of 4312	3544	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	79
PID 4312 wrote to memory of 1772	4312	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	85
PID 4312 wrote to memory of 1772	4312	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	85
PID 4312 wrote to memory of 1772	4312	f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe	85
PID 1772 wrote to memory of 1508	1772	cmd.exe	88
PID 1772 wrote to memory of 1508	1772	cmd.exe	88
PID 1772 wrote to memory of 1508	1772	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
"C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe
  "C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\f487db26e46dc5067bca06003759d119dae50ff6c527a8c68fc01d73f41f4a64.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-653-0x00000000068D0000-0x00000000068F2000-memory.dmp

Filesize
136KB

Download
memory/1508-652-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/1508-651-0x0000000006800000-0x000000000681A000-memory.dmp

Filesize
104KB

Download
memory/1508-650-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/1508-649-0x0000000005090000-0x00000000050AE000-memory.dmp

Filesize
120KB

Download
memory/1508-648-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/1508-647-0x0000000005210000-0x0000000005232000-memory.dmp

Filesize
136KB

Download
memory/1508-646-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/1508-645-0x00000000029C0000-0x00000000029F6000-memory.dmp

Filesize
216KB

Download
memory/3544-131-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/4312-175-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-189-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-155-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-157-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-159-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-161-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-163-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-165-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-167-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-169-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-171-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-173-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-177-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-179-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-181-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-183-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-185-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-187-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-153-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-191-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-195-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-193-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-640-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/4312-641-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/4312-642-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/4312-151-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-149-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-147-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-145-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-143-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-141-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-139-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-137-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-135-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-133-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download
memory/4312-132-0x0000000000BF0000-0x0000000000C98000-memory.dmp

Filesize
672KB

Download