masslogger | 73fa7d72535f68d0def7fc2a838c2f8b175e13128f774fdbd6b4335dc95c0453

General

Target

wewewewe.exe
Size

1.4MB
MD5

029c7ec1040676551533408ef85d1f68
SHA1

9e5fb6844e76687bb47f7b7e549307c95305fdae
SHA256

619d55dafa6cfdc23580e3a1e8a57ef3a246a0163385f4a61a591ac0517d85f6
SHA512

2e0c010d934131d0641f89c9ebeb7a295f519e09578bda477f58b88b4e8c0d7658adc3c07f8a94e455b4b4c46fcd56e32c27f5afb4b4ededccb668fdd572042c

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-133-0x0000000000BA0000-0x0000000000C48000-memory.dmp	family_masslogger
behavioral2/memory/2608-134-0x0000000000BA0000-0x0000000000C48000-memory.dmp	family_masslogger

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wewewew.vbs notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wewewewe.exe

description pid process target process

PID 2224 set thread context of 2608 2224 wewewewe.exe wewewewe.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wewewewe.exepowershell.exe

pid process

2224 wewewewe.exe
2224 wewewewe.exe
4280 powershell.exe
4280 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

wewewewe.exe

pid process

2224 wewewewe.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4280 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wewewew.vbs	notepad.exe

description	pid	process	target process
PID 2224 set thread context of 2608	2224	wewewewe.exe	wewewewe.exe

pid	process
2224	wewewewe.exe
2224	wewewewe.exe
4280	powershell.exe
4280	powershell.exe

pid	process
2224	wewewewe.exe

description	pid	process
Token: SeDebugPrivilege	4280	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

wewewewe.exewewewewe.execmd.exe

description	pid	process	target process
PID 2224 wrote to memory of 2432	2224	wewewewe.exe	notepad.exe
PID 2224 wrote to memory of 2432	2224	wewewewe.exe	notepad.exe
PID 2224 wrote to memory of 2432	2224	wewewewe.exe	notepad.exe
PID 2224 wrote to memory of 2432	2224	wewewewe.exe	notepad.exe
PID 2224 wrote to memory of 2432	2224	wewewewe.exe	notepad.exe
PID 2224 wrote to memory of 2608	2224	wewewewe.exe	wewewewe.exe
PID 2224 wrote to memory of 2608	2224	wewewewe.exe	wewewewe.exe
PID 2224 wrote to memory of 2608	2224	wewewewe.exe	wewewewe.exe
PID 2608 wrote to memory of 4368	2608	wewewewe.exe	cmd.exe
PID 2608 wrote to memory of 4368	2608	wewewewe.exe	cmd.exe
PID 2608 wrote to memory of 4368	2608	wewewewe.exe	cmd.exe
PID 4368 wrote to memory of 4280	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4280	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4280	4368	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\wewewewe.exe
"C:\Users\Admin\AppData\Local\Temp\wewewewe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
PID:2432

C:\Users\Admin\AppData\Local\Temp\wewewewe.exe
"C:\Users\Admin\AppData\Local\Temp\wewewewe.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\wewewewe.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\wewewewe.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-130-0x0000000002350000-0x0000000002359000-memory.dmp

Filesize
36KB

Download
memory/2432-131-0x0000000000000000-mapping.dmp

Download
memory/2608-132-0x0000000000000000-mapping.dmp

Download
memory/2608-133-0x0000000000BA0000-0x0000000000C48000-memory.dmp

Filesize
672KB

Download
memory/2608-134-0x0000000000BA0000-0x0000000000C48000-memory.dmp

Filesize
672KB

Download
memory/2608-135-0x0000000004C00000-0x00000000051A4000-memory.dmp

Filesize
5.6MB

Download
memory/2608-136-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/2608-137-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/2608-138-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/4280-140-0x0000000000000000-mapping.dmp

Download
memory/4280-141-0x0000000002220000-0x0000000002256000-memory.dmp

Filesize
216KB

Download
memory/4280-142-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/4280-143-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

Filesize
136KB

Download
memory/4280-144-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/4280-145-0x00000000048F0000-0x000000000490E000-memory.dmp

Filesize
120KB

Download
memory/4280-146-0x0000000007210000-0x000000000788A000-memory.dmp

Filesize
6.5MB

Download
memory/4280-147-0x0000000006020000-0x000000000603A000-memory.dmp

Filesize
104KB

Download
memory/4280-148-0x0000000006B90000-0x0000000006C26000-memory.dmp

Filesize
600KB

Download
memory/4280-149-0x0000000006110000-0x0000000006132000-memory.dmp

Filesize
136KB

Download
memory/4368-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads