masslogger | 00c3cff2f322142766af113e8aaeabb7fbb7ca7e98d60e6e254ef5e651a9e03a

General

Target

Inquiry List Details.exe
Size

868KB
MD5

18441e9c6156df94b21556dab4ef4701
SHA1

25b9a51950b21e8d86b56770a9d23225b1a5e40e
SHA256

fb248d3c4b08dd0bef37e565fbe078a57f13b5214b8cafeccf42bdd50767678d
SHA512

3719e583e8703f950fa9dc0c62badc4781aa6b5f2c585b1817cfe7f6cba39ba9f89b7f3571350aad60fe50c24b9f9c37ab1e5672aaf9b0ebe1361fac4ce833c4

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5108-135-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

Inquiry List Details.exe

description pid process target process

PID 4984 set thread context of 5108 4984 Inquiry List Details.exe Inquiry List Details.exe

description	pid	process	target process
PID 4984 set thread context of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Inquiry List Details.exeInquiry List Details.exepowershell.exe

pid	process
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
4984	Inquiry List Details.exe
5108	Inquiry List Details.exe
5108	Inquiry List Details.exe
1788	powershell.exe
1788	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Inquiry List Details.exeInquiry List Details.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4984	Inquiry List Details.exe
Token: SeDebugPrivilege	5108	Inquiry List Details.exe
Token: SeDebugPrivilege	1788	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Inquiry List Details.exeInquiry List Details.execmd.exe

description	pid	process	target process
PID 4984 wrote to memory of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe
PID 4984 wrote to memory of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe
PID 4984 wrote to memory of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe
PID 4984 wrote to memory of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe
PID 4984 wrote to memory of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe
PID 4984 wrote to memory of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe
PID 4984 wrote to memory of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe
PID 4984 wrote to memory of 5108	4984	Inquiry List Details.exe	Inquiry List Details.exe
PID 5108 wrote to memory of 1960	5108	Inquiry List Details.exe	cmd.exe
PID 5108 wrote to memory of 1960	5108	Inquiry List Details.exe	cmd.exe
PID 5108 wrote to memory of 1960	5108	Inquiry List Details.exe	cmd.exe
PID 1960 wrote to memory of 1788	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 1788	1960	cmd.exe	powershell.exe
PID 1960 wrote to memory of 1788	1960	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Inquiry List Details.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry List Details.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\Inquiry List Details.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry List Details.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Inquiry List Details.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Inquiry List Details.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-142-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/1788-141-0x0000000005210000-0x0000000005232000-memory.dmp

Filesize
136KB

Download
memory/1788-139-0x00000000027E0000-0x0000000002816000-memory.dmp

Filesize
216KB

Download
memory/1788-140-0x0000000005350000-0x0000000005978000-memory.dmp

Filesize
6.2MB

Download
memory/1788-138-0x0000000000000000-mapping.dmp

Download
memory/1788-146-0x0000000007150000-0x00000000071E6000-memory.dmp

Filesize
600KB

Download
memory/1788-145-0x00000000065E0000-0x00000000065FA000-memory.dmp

Filesize
104KB

Download
memory/1788-147-0x00000000066B0000-0x00000000066D2000-memory.dmp

Filesize
136KB

Download
memory/1788-144-0x0000000007730000-0x0000000007DAA000-memory.dmp

Filesize
6.5MB

Download
memory/1788-143-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/1960-137-0x0000000000000000-mapping.dmp

Download
memory/4984-132-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/4984-130-0x00000000009C0000-0x0000000000AA0000-memory.dmp

Filesize
896KB

Download
memory/4984-133-0x0000000005960000-0x00000000059FC000-memory.dmp

Filesize
624KB

Download
memory/4984-131-0x0000000005A90000-0x0000000006034000-memory.dmp

Filesize
5.6MB

Download
memory/5108-136-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/5108-135-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5108-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads