masslogger | e791be548680d5d53a82788931e377a527d3f6bf690dc5c798ce1ef34a37fe92

General

Target

INQUIRY No. 310720205467_pdf.exe
Size

1.2MB
MD5

618c581392b7271abdf40a8b376e8324
SHA1

64540d461fb9bfedeaf9df200c960970bea164fd
SHA256

dccd0903a7912382f20b16beb29d93c14435e41ee655c2e88740879089d56fca
SHA512

4501cc013e50a84968a9bb78ad585a31db8726226656e46bc4310d3843f479fd20531685b691845a170f61324277ce1d50b7b2be8662ace239f63a4f6fcf2311

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4192-130-0x0000000000640000-0x0000000000778000-memory.dmp	family_masslogger
behavioral2/memory/4460-134-0x0000000000400000-0x000000000049A000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

INQUIRY No. 310720205467_pdf.exe

description pid process target process

PID 4192 set thread context of 4460 4192 INQUIRY No. 310720205467_pdf.exe INQUIRY No. 310720205467_pdf.exe

description	pid	process	target process
PID 4192 set thread context of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

INQUIRY No. 310720205467_pdf.exepowershell.exe

pid	process
4192	INQUIRY No. 310720205467_pdf.exe
4192	INQUIRY No. 310720205467_pdf.exe
4192	INQUIRY No. 310720205467_pdf.exe
4104	powershell.exe
4104	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INQUIRY No. 310720205467_pdf.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4192 INQUIRY No. 310720205467_pdf.exe
Token: SeDebugPrivilege 4104 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4192	INQUIRY No. 310720205467_pdf.exe
Token: SeDebugPrivilege	4104	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

INQUIRY No. 310720205467_pdf.exeINQUIRY No. 310720205467_pdf.execmd.exe

description	pid	process	target process
PID 4192 wrote to memory of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe
PID 4192 wrote to memory of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe
PID 4192 wrote to memory of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe
PID 4192 wrote to memory of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe
PID 4192 wrote to memory of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe
PID 4192 wrote to memory of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe
PID 4192 wrote to memory of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe
PID 4192 wrote to memory of 4460	4192	INQUIRY No. 310720205467_pdf.exe	INQUIRY No. 310720205467_pdf.exe
PID 4460 wrote to memory of 2040	4460	INQUIRY No. 310720205467_pdf.exe	cmd.exe
PID 4460 wrote to memory of 2040	4460	INQUIRY No. 310720205467_pdf.exe	cmd.exe
PID 4460 wrote to memory of 2040	4460	INQUIRY No. 310720205467_pdf.exe	cmd.exe
PID 2040 wrote to memory of 4104	2040	cmd.exe	powershell.exe
PID 2040 wrote to memory of 4104	2040	cmd.exe	powershell.exe
PID 2040 wrote to memory of 4104	2040	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 310720205467_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 310720205467_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 310720205467_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 310720205467_pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 310720205467_pdf.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\INQUIRY No. 310720205467_pdf.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQUIRY No. 310720205467_pdf.exe.log

Filesize
1KB

MD5
fc13935f3038bdde6cb484249fbff668

SHA1
a4c32013e6d59bf1eb1a5119456965de191e62b8

SHA256
de064c569a5f4edaf2da91d7bcb82bab06a35190b699cede1da0aa616a23d676

SHA512
5817275af0f8a48eb1e008d39f62fb3582db9a2d21a806e9f9ee36fbfd799fb17e91f0e3686f4b236724fe78f14ae7f40cd3755f0ec0fb6734ce42f996b798f7

Download Submit
memory/2040-138-0x0000000000000000-mapping.dmp

Download
memory/4104-142-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/4104-145-0x0000000007500000-0x0000000007B7A000-memory.dmp

Filesize
6.5MB

Download
memory/4104-148-0x0000000006460000-0x0000000006482000-memory.dmp

Filesize
136KB

Download
memory/4104-147-0x0000000007120000-0x00000000071B6000-memory.dmp

Filesize
600KB

Download
memory/4104-146-0x00000000063A0000-0x00000000063BA000-memory.dmp

Filesize
104KB

Download
memory/4104-144-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

Filesize
120KB

Download
memory/4104-143-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/4104-139-0x0000000000000000-mapping.dmp

Download
memory/4104-140-0x0000000002590000-0x00000000025C6000-memory.dmp

Filesize
216KB

Download
memory/4104-141-0x0000000004FF0000-0x0000000005618000-memory.dmp

Filesize
6.2MB

Download
memory/4192-130-0x0000000000640000-0x0000000000778000-memory.dmp

Filesize
1.2MB

Download
memory/4192-131-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/4192-132-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/4460-137-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/4460-133-0x0000000000000000-mapping.dmp

Download
memory/4460-136-0x0000000005780000-0x000000000581C000-memory.dmp

Filesize
624KB

Download
memory/4460-134-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads