masslogger | 63b9e6777bac66b18161ccfe8fa2edcca139c41546f17d9adaa19670a6f13f2e

General

Target

Order List Ref.exe
Size

937KB
MD5

f748102b28fc5ee9cf60dede96045339
SHA1

23cb3c7476b0eb18180524f707d9c816f75a9dd9
SHA256

21e24dd09fbda231081888702ec13d7e371470c6ecd104fa3b0a0f3743f0a254
SHA512

6e5fae9db68d76ced574a78ae675817f744103e8737d43fef889245e9595036e995d476755731ca510004fef3fb18fd1fdb84291de52ee381b596734f7adb024

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4296-135-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

Order List Ref.exe

description pid process target process

PID 2388 set thread context of 4296 2388 Order List Ref.exe Order List Ref.exe

description	pid	process	target process
PID 2388 set thread context of 4296	2388	Order List Ref.exe	Order List Ref.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Order List Ref.exeOrder List Ref.exepowershell.exe

pid	process
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
2388	Order List Ref.exe
4296	Order List Ref.exe
4296	Order List Ref.exe
2340	powershell.exe
2340	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Order List Ref.exeOrder List Ref.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2388	Order List Ref.exe
Token: SeDebugPrivilege	4296	Order List Ref.exe
Token: SeDebugPrivilege	2340	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Order List Ref.exeOrder List Ref.execmd.exe

description	pid	process	target process
PID 2388 wrote to memory of 4296	2388	Order List Ref.exe	Order List Ref.exe
PID 2388 wrote to memory of 4296	2388	Order List Ref.exe	Order List Ref.exe
PID 2388 wrote to memory of 4296	2388	Order List Ref.exe	Order List Ref.exe
PID 2388 wrote to memory of 4296	2388	Order List Ref.exe	Order List Ref.exe
PID 2388 wrote to memory of 4296	2388	Order List Ref.exe	Order List Ref.exe
PID 2388 wrote to memory of 4296	2388	Order List Ref.exe	Order List Ref.exe
PID 2388 wrote to memory of 4296	2388	Order List Ref.exe	Order List Ref.exe
PID 2388 wrote to memory of 4296	2388	Order List Ref.exe	Order List Ref.exe
PID 4296 wrote to memory of 464	4296	Order List Ref.exe	cmd.exe
PID 4296 wrote to memory of 464	4296	Order List Ref.exe	cmd.exe
PID 4296 wrote to memory of 464	4296	Order List Ref.exe	cmd.exe
PID 464 wrote to memory of 2340	464	cmd.exe	powershell.exe
PID 464 wrote to memory of 2340	464	cmd.exe	powershell.exe
PID 464 wrote to memory of 2340	464	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Order List Ref.exe
"C:\Users\Admin\AppData\Local\Temp\Order List Ref.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\Order List Ref.exe
"C:\Users\Admin\AppData\Local\Temp\Order List Ref.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order List Ref.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order List Ref.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/464-137-0x0000000000000000-mapping.dmp

Download
memory/2340-142-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/2340-141-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/2340-139-0x0000000004DD0000-0x0000000004E06000-memory.dmp

Filesize
216KB

Download
memory/2340-147-0x00000000072E0000-0x0000000007302000-memory.dmp

Filesize
136KB

Download
memory/2340-140-0x00000000055A0000-0x0000000005BC8000-memory.dmp

Filesize
6.2MB

Download
memory/2340-144-0x0000000007950000-0x0000000007FCA000-memory.dmp

Filesize
6.5MB

Download
memory/2340-143-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/2340-145-0x0000000006850000-0x000000000686A000-memory.dmp

Filesize
104KB

Download
memory/2340-138-0x0000000000000000-mapping.dmp

Download
memory/2340-146-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/2388-133-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/2388-130-0x0000000000030000-0x0000000000120000-memory.dmp

Filesize
960KB

Download
memory/2388-131-0x0000000004EB0000-0x0000000005454000-memory.dmp

Filesize
5.6MB

Download
memory/2388-132-0x00000000049A0000-0x0000000004A32000-memory.dmp

Filesize
584KB

Download
memory/4296-136-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/4296-135-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4296-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads