masslogger | 5024d7052a08cb4612a33edbadd6cfb5f52699dd0e3f77f86bd1aeb751f8fad2

General

Target

PO7562201.exe
Size

890KB
MD5

cd43c1409987ea30440112f44b07038a
SHA1

9702a0f0f06d893d900402344d1616b8eeed86cc
SHA256

ef30ffc2d3ba3ec27cfaee6dd4e86f0fa4e2c8799e341affa924e0763d51ed1a
SHA512

c6b0141ad41ee18a4669e17098b5254f7c10f7b5e11400a76801cb2fe4b0ab50de9363f6d1b0cbb44da6a95c40d422f9c9ccdc208310f74fff452ce8a1317d97

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4596-134-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO7562201.exe

description pid process target process

PID 1216 set thread context of 4596 1216 PO7562201.exe PO7562201.exe

description	pid	process	target process
PID 1216 set thread context of 4596	1216	PO7562201.exe	PO7562201.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PO7562201.exePO7562201.exepowershell.exe

pid	process
1216	PO7562201.exe
1216	PO7562201.exe
1216	PO7562201.exe
1216	PO7562201.exe
1216	PO7562201.exe
1216	PO7562201.exe
4596	PO7562201.exe
4596	PO7562201.exe
4148	powershell.exe
4148	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO7562201.exePO7562201.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1216 PO7562201.exe
Token: SeDebugPrivilege 4596 PO7562201.exe
Token: SeDebugPrivilege 4148 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1216	PO7562201.exe
Token: SeDebugPrivilege	4596	PO7562201.exe
Token: SeDebugPrivilege	4148	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO7562201.exePO7562201.execmd.exe

description	pid	process	target process
PID 1216 wrote to memory of 4596	1216	PO7562201.exe	PO7562201.exe
PID 1216 wrote to memory of 4596	1216	PO7562201.exe	PO7562201.exe
PID 1216 wrote to memory of 4596	1216	PO7562201.exe	PO7562201.exe
PID 1216 wrote to memory of 4596	1216	PO7562201.exe	PO7562201.exe
PID 1216 wrote to memory of 4596	1216	PO7562201.exe	PO7562201.exe
PID 1216 wrote to memory of 4596	1216	PO7562201.exe	PO7562201.exe
PID 1216 wrote to memory of 4596	1216	PO7562201.exe	PO7562201.exe
PID 1216 wrote to memory of 4596	1216	PO7562201.exe	PO7562201.exe
PID 4596 wrote to memory of 2104	4596	PO7562201.exe	cmd.exe
PID 4596 wrote to memory of 2104	4596	PO7562201.exe	cmd.exe
PID 4596 wrote to memory of 2104	4596	PO7562201.exe	cmd.exe
PID 2104 wrote to memory of 4148	2104	cmd.exe	powershell.exe
PID 2104 wrote to memory of 4148	2104	cmd.exe	powershell.exe
PID 2104 wrote to memory of 4148	2104	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO7562201.exe
"C:\Users\Admin\AppData\Local\Temp\PO7562201.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\PO7562201.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO7562201.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO7562201.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO7562201.exe.log

Filesize
412B

MD5
ad1c7f6525cfeb54c0487efd38b0e26c

SHA1
ed3da94723ac7e3828a9e93d68418bb810592f3b

SHA256
0a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276

SHA512
48d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c

Download Submit
memory/1216-131-0x00000000053C0000-0x000000000545C000-memory.dmp

Filesize
624KB

Download
memory/1216-132-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/1216-130-0x0000000000600000-0x00000000006E4000-memory.dmp

Filesize
912KB

Download
memory/2104-137-0x0000000000000000-mapping.dmp

Download
memory/4148-142-0x0000000005B90000-0x0000000005BB2000-memory.dmp

Filesize
136KB

Download
memory/4148-145-0x0000000007C40000-0x00000000082BA000-memory.dmp

Filesize
6.5MB

Download
memory/4148-148-0x0000000006950000-0x0000000006972000-memory.dmp

Filesize
136KB

Download
memory/4148-147-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/4148-139-0x0000000000000000-mapping.dmp

Download
memory/4148-140-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download
memory/4148-141-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/4148-146-0x00000000068B0000-0x00000000068CA000-memory.dmp

Filesize
104KB

Download
memory/4148-143-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4148-144-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/4596-136-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/4596-133-0x0000000000000000-mapping.dmp

Download
memory/4596-134-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4596-135-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads