masslogger | ff49433d67b8d8ffb6c3757b20b3baf4f45399ec3560876ef4f819b0aae6c194

General

Target

PO 7405591, 7756947 ,7756740.exe
Size

1.2MB
MD5

63831c721dddee09571fe4d9df808576
SHA1

6fdd675db58fe108ec77ad19f72d05d908cbe07c
SHA256

f8a4be5923387077b32e65cfea383db1576e5dd068b926a1e9833ff24e48fd64
SHA512

c40638ecfab9b4de4756a29a09d68a4b896adbfedf8a43a0ebe7e09647d24a3d5e1c7bbe8fe324d090ebcf00424f59f5884cde0ac8f3974796d22a36b86da4c0

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2556-130-0x0000000000160000-0x00000000002A0000-memory.dmp	family_masslogger
behavioral2/memory/3696-136-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

Executes dropped EXE 1 IoCs

Processes:

RegAsm.exe

pid process

3696 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO 7405591, 7756947 ,7756740.exe

description pid process target process

PID 2556 set thread context of 3696 2556 PO 7405591, 7756947 ,7756740.exe RegAsm.exe

pid	process
3696	RegAsm.exe

description	pid	process	target process
PID 2556 set thread context of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO 7405591, 7756947 ,7756740.exepowershell.exe

pid	process
2556	PO 7405591, 7756947 ,7756740.exe
2556	PO 7405591, 7756947 ,7756740.exe
2556	PO 7405591, 7756947 ,7756740.exe
4704	powershell.exe
4704	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO 7405591, 7756947 ,7756740.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2556 PO 7405591, 7756947 ,7756740.exe
Token: SeDebugPrivilege 4704 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2556	PO 7405591, 7756947 ,7756740.exe
Token: SeDebugPrivilege	4704	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO 7405591, 7756947 ,7756740.exeRegAsm.execmd.exe

description	pid	process	target process
PID 2556 wrote to memory of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe
PID 2556 wrote to memory of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe
PID 2556 wrote to memory of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe
PID 2556 wrote to memory of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe
PID 2556 wrote to memory of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe
PID 2556 wrote to memory of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe
PID 2556 wrote to memory of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe
PID 2556 wrote to memory of 3696	2556	PO 7405591, 7756947 ,7756740.exe	RegAsm.exe
PID 3696 wrote to memory of 4640	3696	RegAsm.exe	cmd.exe
PID 3696 wrote to memory of 4640	3696	RegAsm.exe	cmd.exe
PID 3696 wrote to memory of 4640	3696	RegAsm.exe	cmd.exe
PID 4640 wrote to memory of 4704	4640	cmd.exe	powershell.exe
PID 4640 wrote to memory of 4704	4640	cmd.exe	powershell.exe
PID 4640 wrote to memory of 4704	4640	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO 7405591, 7756947 ,7756740.exe
"C:\Users\Admin\AppData\Local\Temp\PO 7405591, 7756947 ,7756740.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RegAsm.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RegAsm.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/2556-131-0x000000000A890000-0x000000000AE34000-memory.dmp

Filesize
5.6MB

Download
memory/2556-132-0x000000000A380000-0x000000000A3C4000-memory.dmp

Filesize
272KB

Download
memory/2556-133-0x000000000A3D0000-0x000000000A3F2000-memory.dmp

Filesize
136KB

Download
memory/2556-134-0x000000000A5A0000-0x000000000A632000-memory.dmp

Filesize
584KB

Download
memory/2556-130-0x0000000000160000-0x00000000002A0000-memory.dmp

Filesize
1.2MB

Download
memory/3696-140-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/3696-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3696-139-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/3696-135-0x0000000000000000-mapping.dmp

Download
memory/4640-141-0x0000000000000000-mapping.dmp

Download
memory/4704-144-0x0000000005480000-0x0000000005AA8000-memory.dmp

Filesize
6.2MB

Download
memory/4704-143-0x0000000002910000-0x0000000002946000-memory.dmp

Filesize
216KB

Download
memory/4704-142-0x0000000000000000-mapping.dmp

Download
memory/4704-145-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/4704-146-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/4704-147-0x0000000007C60000-0x00000000082DA000-memory.dmp

Filesize
6.5MB

Download
memory/4704-148-0x00000000066F0000-0x000000000670A000-memory.dmp

Filesize
104KB

Download
memory/4704-149-0x00000000072A0000-0x0000000007336000-memory.dmp

Filesize
600KB

Download
memory/4704-150-0x0000000007200000-0x0000000007222000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads