masslogger | d11166ad387874547d8990d7e397eaca6669748280450834ab1a8695bd951386

General

Target

PO3856221.exe
Size

1.1MB
MD5

0e07446ec588425ca3423dead360978e
SHA1

14b80662c40ee1826d83bbc4e43f96acb5e3c586
SHA256

66be42e48ac5cca62e07acb170e1965756f0556ac5ad9a3070c64c6e74a11fa7
SHA512

466f26f265e807090916da0d7ff1fbdb281a5a60579c73e3d55354ecfa4ae47b6070f28489a82cb378b657bad2dfe23134e54d20173597ad6fc37d888c961381

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4276-136-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Loads dropped DLL 1 IoCs

Processes:

PO3856221.exe

pid process

3076 PO3856221.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO3856221.exe

description pid process target process

PID 3076 set thread context of 4276 3076 PO3856221.exe PO3856221.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

PO3856221.exePO3856221.exepowershell.exe

pid process

3076 PO3856221.exe
3076 PO3856221.exe
3076 PO3856221.exe
4276 PO3856221.exe
4276 PO3856221.exe
436 powershell.exe
436 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO3856221.exePO3856221.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3076 PO3856221.exe
Token: SeDebugPrivilege 4276 PO3856221.exe
Token: SeDebugPrivilege 436 powershell.exe

pid	process
3076	PO3856221.exe

description	pid	process	target process
PID 3076 set thread context of 4276	3076	PO3856221.exe	PO3856221.exe

pid	process
3076	PO3856221.exe
3076	PO3856221.exe
3076	PO3856221.exe
4276	PO3856221.exe
4276	PO3856221.exe
436	powershell.exe
436	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3076	PO3856221.exe
Token: SeDebugPrivilege	4276	PO3856221.exe
Token: SeDebugPrivilege	436	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO3856221.exePO3856221.execmd.exe

description	pid	process	target process
PID 3076 wrote to memory of 4276	3076	PO3856221.exe	PO3856221.exe
PID 3076 wrote to memory of 4276	3076	PO3856221.exe	PO3856221.exe
PID 3076 wrote to memory of 4276	3076	PO3856221.exe	PO3856221.exe
PID 3076 wrote to memory of 4276	3076	PO3856221.exe	PO3856221.exe
PID 3076 wrote to memory of 4276	3076	PO3856221.exe	PO3856221.exe
PID 3076 wrote to memory of 4276	3076	PO3856221.exe	PO3856221.exe
PID 3076 wrote to memory of 4276	3076	PO3856221.exe	PO3856221.exe
PID 3076 wrote to memory of 4276	3076	PO3856221.exe	PO3856221.exe
PID 4276 wrote to memory of 4624	4276	PO3856221.exe	cmd.exe
PID 4276 wrote to memory of 4624	4276	PO3856221.exe	cmd.exe
PID 4276 wrote to memory of 4624	4276	PO3856221.exe	cmd.exe
PID 4624 wrote to memory of 436	4624	cmd.exe	powershell.exe
PID 4624 wrote to memory of 436	4624	cmd.exe	powershell.exe
PID 4624 wrote to memory of 436	4624	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\PO3856221.exe
"C:\Users\Admin\AppData\Local\Temp\PO3856221.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\PO3856221.exe
  "C:\Users\Admin\AppData\Local\Temp\PO3856221.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO3856221.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\PO3856221.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO3856221.exe.log

Filesize
1KB

MD5
fc13935f3038bdde6cb484249fbff668

SHA1
a4c32013e6d59bf1eb1a5119456965de191e62b8

SHA256
de064c569a5f4edaf2da91d7bcb82bab06a35190b699cede1da0aa616a23d676

SHA512
5817275af0f8a48eb1e008d39f62fb3582db9a2d21a806e9f9ee36fbfd799fb17e91f0e3686f4b236724fe78f14ae7f40cd3755f0ec0fb6734ce42f996b798f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c08e67e7-d17e-42f4-84a8-059771d01a58\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/436-142-0x0000000002AF0000-0x0000000002B26000-memory.dmp

Filesize
216KB

Download
memory/436-148-0x00000000068F0000-0x000000000690A000-memory.dmp

Filesize
104KB

Download
memory/436-145-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/436-144-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/436-150-0x00000000075A0000-0x00000000075C2000-memory.dmp

Filesize
136KB

Download
memory/436-143-0x0000000005570000-0x0000000005B98000-memory.dmp

Filesize
6.2MB

Download
memory/436-149-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/436-146-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/436-147-0x0000000007C20000-0x000000000829A000-memory.dmp

Filesize
6.5MB

Download
memory/436-141-0x0000000000000000-mapping.dmp

Download
memory/3076-133-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/3076-132-0x00000000735D0000-0x0000000073659000-memory.dmp

Filesize
548KB

Download
memory/3076-130-0x0000000000540000-0x0000000000666000-memory.dmp

Filesize
1.1MB

Download
memory/3076-134-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/4276-135-0x0000000000000000-mapping.dmp

Download
memory/4276-139-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/4276-138-0x0000000005590000-0x000000000562C000-memory.dmp

Filesize
624KB

Download
memory/4276-136-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4624-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads