masslogger | 65319ec78c3c672d29c9795c4f1c91285c59879c88701905d214e39f886a488a

Analysis

max time kernel
139s
max time network
138s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat Bankasi Swift.exe
Size

676KB
MD5

dc0c0581231219dbd8c51210499ed5f4
SHA1

0f185c40acced956c10fbad1ee52950b72618db8
SHA256

1807db4729b2057e9e43ceefc3502ebd7a988e248ede3c56d85f7f5befdafd06
SHA512

5bcc5849043c7d4b316a621018705cc20f920e0e92ebe3a96f4b997aa2b3fd2f1f2e4796b69737ca5696060f6adbb0ab492be3e66fc0e7a4d5b15cac2e2e8aea

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1916-62-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-63-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-65-0x00000000004A18CE-mapping.dmp	family_masslogger
behavioral1/memory/1916-64-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-67-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-69-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-72-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-74-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-76-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-78-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-80-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-84-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-82-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-90-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-88-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-86-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-92-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-94-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-96-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-98-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-104-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-102-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-100-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-106-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-110-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-108-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-114-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-116-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-112-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-118-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-120-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1916-122-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ziraat Bankasi Swift.exe

description pid process target process

PID 844 set thread context of 1916 844 Ziraat Bankasi Swift.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1764 1916 WerFault.exe AppLaunch.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

AppLaunch.exe

pid process

1916 AppLaunch.exe

yara_rule
masslogger_log_file

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 844 set thread context of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe

pid	pid_target	process	target process
1764	1916	WerFault.exe	AppLaunch.exe

pid	process
1916	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Ziraat Bankasi Swift.exeAppLaunch.exe

pid	process
844	Ziraat Bankasi Swift.exe
844	Ziraat Bankasi Swift.exe
844	Ziraat Bankasi Swift.exe
844	Ziraat Bankasi Swift.exe
844	Ziraat Bankasi Swift.exe
844	Ziraat Bankasi Swift.exe
844	Ziraat Bankasi Swift.exe
844	Ziraat Bankasi Swift.exe
1916	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Ziraat Bankasi Swift.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 844 Ziraat Bankasi Swift.exe
Token: SeDebugPrivilege 1916 AppLaunch.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

1916 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	844	Ziraat Bankasi Swift.exe
Token: SeDebugPrivilege	1916	AppLaunch.exe

pid	process
1916	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Ziraat Bankasi Swift.exeAppLaunch.exe

description	pid	process	target process
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 844 wrote to memory of 1916	844	Ziraat Bankasi Swift.exe	AppLaunch.exe
PID 1916 wrote to memory of 1764	1916	AppLaunch.exe	WerFault.exe
PID 1916 wrote to memory of 1764	1916	AppLaunch.exe	WerFault.exe
PID 1916 wrote to memory of 1764	1916	AppLaunch.exe	WerFault.exe
PID 1916 wrote to memory of 1764	1916	AppLaunch.exe	WerFault.exe
PID 1916 wrote to memory of 1764	1916	AppLaunch.exe	WerFault.exe
PID 1916 wrote to memory of 1764	1916	AppLaunch.exe	WerFault.exe
PID 1916 wrote to memory of 1764	1916	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1428
3⤵
- Program crash
PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-54-0x0000000000FF0000-0x00000000010A0000-memory.dmp

Filesize
704KB

Download
memory/844-55-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/844-56-0x0000000000EA0000-0x0000000000F40000-memory.dmp

Filesize
640KB

Download
memory/844-57-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/844-58-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/1764-571-0x0000000000000000-mapping.dmp

Download
memory/1916-82-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-86-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-63-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-65-0x00000000004A18CE-mapping.dmp

Download
memory/1916-64-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-67-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-69-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-70-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1916-72-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-74-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-76-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-78-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-80-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-84-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-60-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-90-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-88-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-62-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-92-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-94-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-96-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-98-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-104-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-102-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-100-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-106-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-110-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-108-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-114-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-116-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-112-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-118-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-120-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-122-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1916-59-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download