masslogger | bcb30c2233345ccc3769c21dbfdecb20ec43339517204720f310ccfec29fe49a

Analysis

max time kernel
110s
max time network
65s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AUG10TH_.exe
Size

1.1MB
MD5

9d1676055eebd75eb7abd7a09528776f
SHA1

da284df615ccefcf583175ec88ea887fc1d769b2
SHA256

b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512

74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-62-0x0000000000400000-0x00000000004C4000-memory.dmp	family_masslogger
behavioral1/memory/2028-65-0x0000000000400000-0x00000000004C4000-memory.dmp	family_masslogger
behavioral1/memory/2028-64-0x0000000000400000-0x00000000004C4000-memory.dmp	family_masslogger
behavioral1/memory/2028-66-0x00000000004B318E-mapping.dmp	family_masslogger
behavioral1/memory/2028-70-0x0000000000400000-0x00000000004C4000-memory.dmp	family_masslogger
behavioral1/memory/2028-68-0x0000000000400000-0x00000000004C4000-memory.dmp	family_masslogger

Executes dropped EXE 6 IoCs

Processes:

vlc.exevlc.exevlc.exevlc.exevlc.exevlc.exe

pid process

1096 vlc.exe
1212 vlc.exe
472 vlc.exe
456 vlc.exe
544 vlc.exe
316 vlc.exe

pid	process
1096	vlc.exe
1212	vlc.exe
472	vlc.exe
456	vlc.exe
544	vlc.exe
316	vlc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AUG10TH_.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	AUG10TH_.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1924 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

AUG10TH_.exe

description pid process target process

PID 1100 set thread context of 2028 1100 AUG10TH_.exe AUG10TH_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1888 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1680 timeout.exe

pid	process
1924	cmd.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1100 set thread context of 2028	1100	AUG10TH_.exe	AUG10TH_.exe

pid	process
1888	schtasks.exe

pid	process
1680	timeout.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

AUG10TH_.exeAUG10TH_.exevlc.exe

pid	process
1100	AUG10TH_.exe
1100	AUG10TH_.exe
1100	AUG10TH_.exe
1100	AUG10TH_.exe
1100	AUG10TH_.exe
2028	AUG10TH_.exe
2028	AUG10TH_.exe
1096	vlc.exe
1096	vlc.exe
1096	vlc.exe
1096	vlc.exe
1096	vlc.exe
1096	vlc.exe
1096	vlc.exe
1096	vlc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUG10TH_.exeAUG10TH_.exevlc.exe

description pid process

Token: SeDebugPrivilege 1100 AUG10TH_.exe
Token: SeDebugPrivilege 2028 AUG10TH_.exe
Token: SeDebugPrivilege 1096 vlc.exe

description	pid	process
Token: SeDebugPrivilege	1100	AUG10TH_.exe
Token: SeDebugPrivilege	2028	AUG10TH_.exe
Token: SeDebugPrivilege	1096	vlc.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

AUG10TH_.exeAUG10TH_.execmd.execmd.exevlc.exe

description	pid	process	target process
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 1100 wrote to memory of 2028	1100	AUG10TH_.exe	AUG10TH_.exe
PID 2028 wrote to memory of 1944	2028	AUG10TH_.exe	cmd.exe
PID 2028 wrote to memory of 1944	2028	AUG10TH_.exe	cmd.exe
PID 2028 wrote to memory of 1944	2028	AUG10TH_.exe	cmd.exe
PID 2028 wrote to memory of 1944	2028	AUG10TH_.exe	cmd.exe
PID 2028 wrote to memory of 1924	2028	AUG10TH_.exe	cmd.exe
PID 2028 wrote to memory of 1924	2028	AUG10TH_.exe	cmd.exe
PID 2028 wrote to memory of 1924	2028	AUG10TH_.exe	cmd.exe
PID 2028 wrote to memory of 1924	2028	AUG10TH_.exe	cmd.exe
PID 1944 wrote to memory of 1888	1944	cmd.exe	schtasks.exe
PID 1944 wrote to memory of 1888	1944	cmd.exe	schtasks.exe
PID 1944 wrote to memory of 1888	1944	cmd.exe	schtasks.exe
PID 1944 wrote to memory of 1888	1944	cmd.exe	schtasks.exe
PID 1924 wrote to memory of 1680	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 1680	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 1680	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 1680	1924	cmd.exe	timeout.exe
PID 1924 wrote to memory of 1096	1924	cmd.exe	vlc.exe
PID 1924 wrote to memory of 1096	1924	cmd.exe	vlc.exe
PID 1924 wrote to memory of 1096	1924	cmd.exe	vlc.exe
PID 1924 wrote to memory of 1096	1924	cmd.exe	vlc.exe
PID 1096 wrote to memory of 1212	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 1212	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 1212	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 1212	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 472	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 472	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 472	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 472	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 456	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 456	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 456	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 456	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 544	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 544	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 544	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 544	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 316	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 316	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 316	1096	vlc.exe	vlc.exe
PID 1096 wrote to memory of 316	1096	vlc.exe	vlc.exe

C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
"C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'
4⤵
- Creates scheduled task(s)
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1680

C:\Users\Admin\VideoLAN\vlc.exe
"C:\Users\Admin\VideoLAN\vlc.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\VideoLAN\vlc.exe
"{path}"
5⤵
- Executes dropped EXE
PID:1212

C:\Users\Admin\VideoLAN\vlc.exe
"{path}"
5⤵
- Executes dropped EXE
PID:472

C:\Users\Admin\VideoLAN\vlc.exe
"{path}"
5⤵
- Executes dropped EXE
PID:456

C:\Users\Admin\VideoLAN\vlc.exe
"{path}"
5⤵
- Executes dropped EXE
PID:544

C:\Users\Admin\VideoLAN\vlc.exe
"{path}"
5⤵
- Executes dropped EXE
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp.bat
Filesize
140B

MD5
e53585d93bf0fd9bd247231372ad1daa

SHA1
bdf2455a73e4d9f6f4545c64469962a11b0416b9

SHA256
2f1f1a6ff5b37da166d6afb8b0c07c9f4bc95fd8d7b325ffa91b587fdf077409

SHA512
39e2689ec48eecf0a423ef975c826281a1bd6294889a08aa6dd0972ee6f7b1c96d6753c379c648ee50e25b7b7207de9cc62a19f624dd4e2689b9670c19e944de

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe
Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe
Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe
Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe
Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe
Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe
Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe
Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
\Users\Admin\VideoLAN\vlc.exe
Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
memory/1096-81-0x0000000000000000-mapping.dmp

Download
memory/1096-83-0x0000000000340000-0x000000000045C000-memory.dmp

Filesize
1.1MB

Download
memory/1100-58-0x0000000005BD0000-0x0000000005C94000-memory.dmp

Filesize
784KB

Download
memory/1100-57-0x0000000005970000-0x0000000005A26000-memory.dmp

Filesize
728KB

Download
memory/1100-54-0x00000000010C0000-0x00000000011DC000-memory.dmp

Filesize
1.1MB

Download
memory/1100-56-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1100-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1680-78-0x0000000000000000-mapping.dmp

Download
memory/1888-77-0x0000000000000000-mapping.dmp

Download
memory/1924-74-0x0000000000000000-mapping.dmp

Download
memory/1944-73-0x0000000000000000-mapping.dmp

Download
memory/2028-75-0x0000000004EF5000-0x0000000004F06000-memory.dmp

Filesize
68KB

Download
memory/2028-71-0x0000000000E40000-0x0000000000EB8000-memory.dmp

Filesize
480KB

Download
memory/2028-68-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2028-70-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2028-66-0x00000000004B318E-mapping.dmp

Download
memory/2028-64-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2028-65-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2028-60-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2028-62-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2028-59-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download