masslogger | cafdb96c01c40316073dcd570dd863c2962d593b087275d0b493608f1d8ca20c

General

Target

QUOTE-FILE476544567493478.pdf.exe
Size

1.4MB
MD5

dae94a89e0be7fb5eeab946b07ddc57a
SHA1

be4e5889e429eaa15acc685864fbf64dd677a903
SHA256

9827d07eba83763e229dfa24ce8c14e3751b216bba993a299f333a429b08232f
SHA512

dadb69ee9bc230e29a0f6c96e675cb8f2bdf06ce6475959352f04515901caa412869be2ac89d780361d7e372819181cff0d24dffc70dd27be12c76ee691199dd

Score

10^/10

masslogger persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4028-130-0x0000000000A00000-0x0000000000B6E000-memory.dmp	family_masslogger
C:\Users\Admin\Documents\app.exe	family_masslogger
C:\Users\Admin\Documents\app.exe	family_masslogger
behavioral2/memory/4024-139-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Executes dropped EXE 2 IoCs

Processes:

app.exeRegAsm.exe

pid process

3528 app.exe
4024 RegAsm.exe

pid	process
3528	app.exe
4024	RegAsm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QUOTE-FILE476544567493478.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	QUOTE-FILE476544567493478.pdf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\app = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Documents\\app.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 3528 set thread context of 4024 3528 app.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3528 set thread context of 4024	3528	app.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

QUOTE-FILE476544567493478.pdf.exeapp.exeRegAsm.exepowershell.exe

pid	process
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
4028	QUOTE-FILE476544567493478.pdf.exe
3528	app.exe
3528	app.exe
3528	app.exe
4024	RegAsm.exe
4024	RegAsm.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

QUOTE-FILE476544567493478.pdf.exeapp.exeRegAsm.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4028	QUOTE-FILE476544567493478.pdf.exe
Token: SeDebugPrivilege	3528	app.exe
Token: SeDebugPrivilege	4024	RegAsm.exe
Token: SeDebugPrivilege	5020	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

QUOTE-FILE476544567493478.pdf.execmd.exeapp.exeRegAsm.execmd.exe

description	pid	process	target process
PID 4028 wrote to memory of 3344	4028	QUOTE-FILE476544567493478.pdf.exe	cmd.exe
PID 4028 wrote to memory of 3344	4028	QUOTE-FILE476544567493478.pdf.exe	cmd.exe
PID 4028 wrote to memory of 3344	4028	QUOTE-FILE476544567493478.pdf.exe	cmd.exe
PID 3344 wrote to memory of 3532	3344	cmd.exe	reg.exe
PID 3344 wrote to memory of 3532	3344	cmd.exe	reg.exe
PID 3344 wrote to memory of 3532	3344	cmd.exe	reg.exe
PID 4028 wrote to memory of 3528	4028	QUOTE-FILE476544567493478.pdf.exe	app.exe
PID 4028 wrote to memory of 3528	4028	QUOTE-FILE476544567493478.pdf.exe	app.exe
PID 4028 wrote to memory of 3528	4028	QUOTE-FILE476544567493478.pdf.exe	app.exe
PID 3528 wrote to memory of 4024	3528	app.exe	RegAsm.exe
PID 3528 wrote to memory of 4024	3528	app.exe	RegAsm.exe
PID 3528 wrote to memory of 4024	3528	app.exe	RegAsm.exe
PID 3528 wrote to memory of 4024	3528	app.exe	RegAsm.exe
PID 3528 wrote to memory of 4024	3528	app.exe	RegAsm.exe
PID 3528 wrote to memory of 4024	3528	app.exe	RegAsm.exe
PID 3528 wrote to memory of 4024	3528	app.exe	RegAsm.exe
PID 3528 wrote to memory of 4024	3528	app.exe	RegAsm.exe
PID 4024 wrote to memory of 3648	4024	RegAsm.exe	cmd.exe
PID 4024 wrote to memory of 3648	4024	RegAsm.exe	cmd.exe
PID 4024 wrote to memory of 3648	4024	RegAsm.exe	cmd.exe
PID 3648 wrote to memory of 5020	3648	cmd.exe	powershell.exe
PID 3648 wrote to memory of 5020	3648	cmd.exe	powershell.exe
PID 3648 wrote to memory of 5020	3648	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\QUOTE-FILE476544567493478.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE-FILE476544567493478.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v app /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Documents\app.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v app /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Documents\app.exe"
3⤵
- Adds Run key to start application
PID:3532

C:\Users\Admin\Documents\app.exe
"C:\Users\Admin\Documents\app.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RegAsm.exe' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RegAsm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\Documents\app.exe
Filesize
1.4MB

MD5
dae94a89e0be7fb5eeab946b07ddc57a

SHA1
be4e5889e429eaa15acc685864fbf64dd677a903

SHA256
9827d07eba83763e229dfa24ce8c14e3751b216bba993a299f333a429b08232f

SHA512
dadb69ee9bc230e29a0f6c96e675cb8f2bdf06ce6475959352f04515901caa412869be2ac89d780361d7e372819181cff0d24dffc70dd27be12c76ee691199dd

Download Submit
C:\Users\Admin\Documents\app.exe
Filesize
1.4MB

MD5
dae94a89e0be7fb5eeab946b07ddc57a

SHA1
be4e5889e429eaa15acc685864fbf64dd677a903

SHA256
9827d07eba83763e229dfa24ce8c14e3751b216bba993a299f333a429b08232f

SHA512
dadb69ee9bc230e29a0f6c96e675cb8f2bdf06ce6475959352f04515901caa412869be2ac89d780361d7e372819181cff0d24dffc70dd27be12c76ee691199dd

Download Submit
memory/3344-133-0x0000000000000000-mapping.dmp

Download
memory/3528-135-0x0000000000000000-mapping.dmp

Download
memory/3532-134-0x0000000000000000-mapping.dmp

Download
memory/3648-144-0x0000000000000000-mapping.dmp

Download
memory/4024-142-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download
memory/4024-139-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4024-138-0x0000000000000000-mapping.dmp

Download
memory/4024-143-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/4028-132-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4028-130-0x0000000000A00000-0x0000000000B6E000-memory.dmp

Filesize
1.4MB

Download
memory/4028-131-0x00000000061C0000-0x0000000006764000-memory.dmp

Filesize
5.6MB

Download
memory/5020-147-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/5020-146-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

Filesize
216KB

Download
memory/5020-145-0x0000000000000000-mapping.dmp

Download
memory/5020-148-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/5020-149-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/5020-150-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/5020-151-0x0000000007980000-0x0000000007FFA000-memory.dmp

Filesize
6.5MB

Download
memory/5020-152-0x0000000006820000-0x000000000683A000-memory.dmp

Filesize
104KB

Download
memory/5020-153-0x00000000075A0000-0x0000000007636000-memory.dmp

Filesize
600KB

Download
memory/5020-154-0x0000000006910000-0x0000000006932000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads