masslogger | 4ecff575d53648fec56921dc2bc8fc03cfc64d89eefcf4e5c86518c914b12016

General

Target

Order List.exe
Size

889KB
MD5

523d2c641aa2e75c31bcafe232fcfb80
SHA1

b6b100e6985fccd85afd8a4864b39d9e5b61803b
SHA256

d6669aaf12fcea6f6a3283e6ba6ce484574f309fbd1f80c7a3ee13ba1746a3d1
SHA512

d8664fdd1de94906d346f023ff8fd4dd6089db9aede78abd35b52f50bdeb9b8de89c8b10ab660e9611e6826c0a6a9134d60fc8062acb9ea4c8b60d3af2f4b8a5

Score

10^/10

masslogger persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4620-135-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Order List.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\""	Order List.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Order List.exe

description pid process target process

PID 1696 set thread context of 4620 1696 Order List.exe Order List.exe

description	pid	process	target process
PID 1696 set thread context of 4620	1696	Order List.exe	Order List.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

Order List.exeOrder List.exepowershell.exe

pid	process
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
1696	Order List.exe
4620	Order List.exe
4620	Order List.exe
4700	powershell.exe
4700	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Order List.exeOrder List.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1696 Order List.exe
Token: SeDebugPrivilege 4620 Order List.exe
Token: SeDebugPrivilege 4700 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1696	Order List.exe
Token: SeDebugPrivilege	4620	Order List.exe
Token: SeDebugPrivilege	4700	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Order List.exeOrder List.execmd.exe

description	pid	process	target process
PID 1696 wrote to memory of 4620	1696	Order List.exe	Order List.exe
PID 1696 wrote to memory of 4620	1696	Order List.exe	Order List.exe
PID 1696 wrote to memory of 4620	1696	Order List.exe	Order List.exe
PID 1696 wrote to memory of 4620	1696	Order List.exe	Order List.exe
PID 1696 wrote to memory of 4620	1696	Order List.exe	Order List.exe
PID 1696 wrote to memory of 4620	1696	Order List.exe	Order List.exe
PID 1696 wrote to memory of 4620	1696	Order List.exe	Order List.exe
PID 1696 wrote to memory of 4620	1696	Order List.exe	Order List.exe
PID 4620 wrote to memory of 3280	4620	Order List.exe	cmd.exe
PID 4620 wrote to memory of 3280	4620	Order List.exe	cmd.exe
PID 4620 wrote to memory of 3280	4620	Order List.exe	cmd.exe
PID 3280 wrote to memory of 4700	3280	cmd.exe	powershell.exe
PID 3280 wrote to memory of 4700	3280	cmd.exe	powershell.exe
PID 3280 wrote to memory of 4700	3280	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Order List.exe
"C:\Users\Admin\AppData\Local\Temp\Order List.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\Order List.exe
"C:\Users\Admin\AppData\Local\Temp\Order List.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order List.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order List.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-130-0x0000000000420000-0x0000000000504000-memory.dmp

Filesize
912KB

Download
memory/1696-131-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/1696-132-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/1696-133-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/3280-137-0x0000000000000000-mapping.dmp

Download
memory/4620-134-0x0000000000000000-mapping.dmp

Download
memory/4620-135-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4620-136-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4700-138-0x0000000000000000-mapping.dmp

Download
memory/4700-139-0x0000000002CC0000-0x0000000002CF6000-memory.dmp

Filesize
216KB

Download
memory/4700-140-0x0000000005840000-0x0000000005E68000-memory.dmp

Filesize
6.2MB

Download
memory/4700-141-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/4700-142-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/4700-143-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/4700-144-0x0000000007C40000-0x00000000082BA000-memory.dmp

Filesize
6.5MB

Download
memory/4700-145-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

Filesize
104KB

Download
memory/4700-146-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/4700-147-0x00000000075C0000-0x00000000075E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads