masslogger | bcb30c2233345ccc3769c21dbfdecb20ec43339517204720f310ccfec29fe49a

General

Target

AUG10TH_.exe
Size

1.1MB
MD5

9d1676055eebd75eb7abd7a09528776f
SHA1

da284df615ccefcf583175ec88ea887fc1d769b2
SHA256

b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512

74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2876-136-0x0000000000400000-0x00000000004C4000-memory.dmp	family_masslogger

Executes dropped EXE 1 IoCs

Processes:

vlc.exe

pid process

1460 vlc.exe

pid	process
1460	vlc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AUG10TH_.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	AUG10TH_.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

AUG10TH_.exe

description pid process target process

PID 3420 set thread context of 2876 3420 AUG10TH_.exe AUG10TH_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4600 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3232 timeout.exe

flow	ioc
32	api.ipify.org

description	pid	process	target process
PID 3420 set thread context of 2876	3420	AUG10TH_.exe	AUG10TH_.exe

pid	process
4600	schtasks.exe

pid	process
3232	timeout.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

AUG10TH_.exeAUG10TH_.exevlc.exe

pid	process
3420	AUG10TH_.exe
3420	AUG10TH_.exe
3420	AUG10TH_.exe
3420	AUG10TH_.exe
3420	AUG10TH_.exe
3420	AUG10TH_.exe
3420	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
2876	AUG10TH_.exe
1460	vlc.exe
1460	vlc.exe
1460	vlc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUG10TH_.exeAUG10TH_.exevlc.exe

description pid process

Token: SeDebugPrivilege 3420 AUG10TH_.exe
Token: SeDebugPrivilege 2876 AUG10TH_.exe
Token: SeDebugPrivilege 1460 vlc.exe

description	pid	process
Token: SeDebugPrivilege	3420	AUG10TH_.exe
Token: SeDebugPrivilege	2876	AUG10TH_.exe
Token: SeDebugPrivilege	1460	vlc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

AUG10TH_.exeAUG10TH_.execmd.execmd.exe

description	pid	process	target process
PID 3420 wrote to memory of 2876	3420	AUG10TH_.exe	AUG10TH_.exe
PID 3420 wrote to memory of 2876	3420	AUG10TH_.exe	AUG10TH_.exe
PID 3420 wrote to memory of 2876	3420	AUG10TH_.exe	AUG10TH_.exe
PID 3420 wrote to memory of 2876	3420	AUG10TH_.exe	AUG10TH_.exe
PID 3420 wrote to memory of 2876	3420	AUG10TH_.exe	AUG10TH_.exe
PID 3420 wrote to memory of 2876	3420	AUG10TH_.exe	AUG10TH_.exe
PID 3420 wrote to memory of 2876	3420	AUG10TH_.exe	AUG10TH_.exe
PID 3420 wrote to memory of 2876	3420	AUG10TH_.exe	AUG10TH_.exe
PID 2876 wrote to memory of 2776	2876	AUG10TH_.exe	cmd.exe
PID 2876 wrote to memory of 2776	2876	AUG10TH_.exe	cmd.exe
PID 2876 wrote to memory of 2776	2876	AUG10TH_.exe	cmd.exe
PID 2876 wrote to memory of 3744	2876	AUG10TH_.exe	cmd.exe
PID 2876 wrote to memory of 3744	2876	AUG10TH_.exe	cmd.exe
PID 2876 wrote to memory of 3744	2876	AUG10TH_.exe	cmd.exe
PID 2776 wrote to memory of 4600	2776	cmd.exe	schtasks.exe
PID 2776 wrote to memory of 4600	2776	cmd.exe	schtasks.exe
PID 2776 wrote to memory of 4600	2776	cmd.exe	schtasks.exe
PID 3744 wrote to memory of 3232	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 3232	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 3232	3744	cmd.exe	timeout.exe
PID 3744 wrote to memory of 1460	3744	cmd.exe	vlc.exe
PID 3744 wrote to memory of 1460	3744	cmd.exe	vlc.exe
PID 3744 wrote to memory of 1460	3744	cmd.exe	vlc.exe

C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
"C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFFD.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3232
  - - C:\Users\Admin\VideoLAN\vlc.exe
      "C:\Users\Admin\VideoLAN\vlc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AUG10TH_.exe.log

Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFFD.tmp.bat

Filesize
140B

MD5
f70f5da3d2b5978d5567881265efe045

SHA1
d8680f7f8a9f4d1264c9290a917a8b75846a63a0

SHA256
718c49ac5e7d45a04777194d58361e19710c9f6bb4e2ee0fde573b23e098015f

SHA512
9afde5aefa6c1555c56631a433467840b3dac52d9940b6589a71a1fd9aa8f8e65f79cfcf29c3a966097b0f89dd206aa46d144f5efa0f43a6eb05b9143e4c26f8

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe

Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe

Filesize
1.1MB

MD5
9d1676055eebd75eb7abd7a09528776f

SHA1
da284df615ccefcf583175ec88ea887fc1d769b2

SHA256
b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4

SHA512
74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Download Submit
memory/1460-144-0x0000000000000000-mapping.dmp

Download
memory/2776-139-0x0000000000000000-mapping.dmp

Download
memory/2876-135-0x0000000000000000-mapping.dmp

Download
memory/2876-136-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2876-138-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/3232-143-0x0000000000000000-mapping.dmp

Download
memory/3420-134-0x000000000D750000-0x000000000D7EC000-memory.dmp

Filesize
624KB

Download
memory/3420-130-0x0000000000460000-0x000000000057C000-memory.dmp

Filesize
1.1MB

Download
memory/3420-133-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/3420-132-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/3420-131-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/3744-140-0x0000000000000000-mapping.dmp

Download
memory/4600-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads