masslogger | 6097f132b4a98062dbb7ea2302774344f1b004043e5771ffa64a34dffd4830de

Analysis

max time kernel
92s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL Shipping Documents.exe
Size

2.0MB
MD5

8c2ae0a1d14cda74ddc4309b46fee9a3
SHA1

81443874dc7ac6cb16786f2c8779d823e13986dc
SHA256

d8f4223d57a495c09741feb21a5e2ec082321d38a77e54a4d2b4b147d8e6bc23
SHA512

1ed42929392bce8c943c62e36f9a84eea9d1a55d1540cf0e56991a864347456507f4df8a011f577255695938f0ac446b968ab8add499581ade7e724e185eb398

Score

10^/10

masslogger ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\EEB932C954\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.4.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.13 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/20/2022 6:28:04 PM MassLogger Started: 5/20/2022 6:27:57 PM Interval: 96 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 60 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1564-136-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-141-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-142-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-143-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-144-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-145-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-146-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-147-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-148-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-149-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-150-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-151-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-153-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-152-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-155-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-156-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-154-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-157-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-158-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-159-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-160-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-161-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-162-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-164-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-163-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-165-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-167-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-168-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-169-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-166-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-170-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-171-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-172-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-173-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-174-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-175-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-176-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-177-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-178-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-179-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-180-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-181-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-182-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-183-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-184-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-185-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-186-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-187-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-188-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-189-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-190-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-191-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-192-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-193-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-194-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-195-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-196-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-197-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-199-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger
behavioral2/memory/1564-198-0x0000000000620000-0x00000000006D0000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL Shipping Documents.exe

description pid process target process

PID 2728 set thread context of 1564 2728 DHL Shipping Documents.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

1564 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1564 MSBuild.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

DHL Shipping Documents.exe

pid process

2728 DHL Shipping Documents.exe
2728 DHL Shipping Documents.exe
2728 DHL Shipping Documents.exe
2728 DHL Shipping Documents.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

DHL Shipping Documents.exe

pid process

2728 DHL Shipping Documents.exe
2728 DHL Shipping Documents.exe
2728 DHL Shipping Documents.exe
2728 DHL Shipping Documents.exe

yara_rule
masslogger_log_file

flow	ioc
28	api.ipify.org

description	pid	process	target process
PID 2728 set thread context of 1564	2728	DHL Shipping Documents.exe	MSBuild.exe

pid	process
1564	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1564	MSBuild.exe

pid	process
2728	DHL Shipping Documents.exe
2728	DHL Shipping Documents.exe
2728	DHL Shipping Documents.exe
2728	DHL Shipping Documents.exe

pid	process
2728	DHL Shipping Documents.exe
2728	DHL Shipping Documents.exe
2728	DHL Shipping Documents.exe
2728	DHL Shipping Documents.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

DHL Shipping Documents.exe

description	pid	process	target process
PID 2728 wrote to memory of 1564	2728	DHL Shipping Documents.exe	MSBuild.exe
PID 2728 wrote to memory of 1564	2728	DHL Shipping Documents.exe	MSBuild.exe
PID 2728 wrote to memory of 1564	2728	DHL Shipping Documents.exe	MSBuild.exe
PID 2728 wrote to memory of 1564	2728	DHL Shipping Documents.exe	MSBuild.exe
PID 2728 wrote to memory of 1564	2728	DHL Shipping Documents.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\DHL Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipping Documents.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1564-135-0x0000000000000000-mapping.dmp

Download
memory/1564-136-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-141-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-142-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-143-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-144-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-145-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-146-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-147-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-148-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-149-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-150-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-151-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-153-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-152-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-155-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-156-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-154-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-157-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-158-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-159-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-160-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-161-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-162-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-164-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-163-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-165-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-167-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-168-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-169-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-166-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-170-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-171-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-172-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-173-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-174-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-175-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-176-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-177-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-178-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-179-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-180-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-181-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-182-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-183-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-184-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-185-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-186-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-187-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-188-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-189-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-190-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-191-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-192-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-193-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-194-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-195-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-196-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-197-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-199-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-198-0x0000000000620000-0x00000000006D0000-memory.dmp

Filesize
704KB

Download
memory/1564-394-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/1564-395-0x0000000004D00000-0x0000000004D9C000-memory.dmp

Filesize
624KB

Download
memory/1564-396-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/1564-397-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/1564-398-0x0000000006410000-0x000000000641A000-memory.dmp

Filesize
40KB

Download
memory/2728-133-0x0000000004B10000-0x0000000004C65000-memory.dmp

Filesize
1.3MB

Download
memory/2728-134-0x0000000004F30000-0x0000000005085000-memory.dmp

Filesize
1.3MB

Download