masslogger | 9ac5dab94f488da04edfba6206d21012883f423037adfebf7e475571cee5b84d

Analysis

max time kernel
154s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan_DSV 01072020_100284001972_PDF.exe
Size

970KB
MD5

40b83c8155808ea18beef168bea47055
SHA1

0dc6101d19d2c4a922db993be442b01200cba87e
SHA256

a39ea4510d732392bba8682a020321dc7dfa259387244117cc90e072fea20c82
SHA512

850542f39ebfa38158d210e360f6f378753a16045b399a7f40c39fecac99d75b46757803b1e0064e1877b377599def977ff921378da5f4526f050770d579226e

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3532-137-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-139-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-141-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-143-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-145-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-147-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-149-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-151-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-153-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-155-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-157-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-159-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-161-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-163-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-165-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-167-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-169-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-171-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-173-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-175-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-177-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-179-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-181-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-183-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-185-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-187-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-189-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-191-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-193-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-195-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-197-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3532-199-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

Scan_DSV 01072020_100284001972_PDF.exe

description	pid	process	target process
PID 3448 set thread context of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Scan_DSV 01072020_100284001972_PDF.exe

pid process

3448 Scan_DSV 01072020_100284001972_PDF.exe
3448 Scan_DSV 01072020_100284001972_PDF.exe

pid	process
3448	Scan_DSV 01072020_100284001972_PDF.exe
3448	Scan_DSV 01072020_100284001972_PDF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Scan_DSV 01072020_100284001972_PDF.exeScan_DSV 01072020_100284001972_PDF.exe

description	pid	process
Token: SeDebugPrivilege	3448	Scan_DSV 01072020_100284001972_PDF.exe
Token: SeDebugPrivilege	3532	Scan_DSV 01072020_100284001972_PDF.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Scan_DSV 01072020_100284001972_PDF.exe

description	pid	process	target process
PID 3448 wrote to memory of 1088	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 1088	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 1088	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe
PID 3448 wrote to memory of 3532	3448	Scan_DSV 01072020_100284001972_PDF.exe	Scan_DSV 01072020_100284001972_PDF.exe

C:\Users\Admin\AppData\Local\Temp\Scan_DSV 01072020_100284001972_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Scan_DSV 01072020_100284001972_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\Scan_DSV 01072020_100284001972_PDF.exe
  "{path}"
  2⤵
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\Scan_DSV 01072020_100284001972_PDF.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-135-0x0000000000000000-mapping.dmp

Download
memory/3448-130-0x0000000000EF0000-0x0000000000FE8000-memory.dmp

Filesize
992KB

Download
memory/3448-131-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/3448-132-0x0000000005C50000-0x0000000005CE2000-memory.dmp

Filesize
584KB

Download
memory/3448-133-0x0000000005C10000-0x0000000005C1A000-memory.dmp

Filesize
40KB

Download
memory/3448-134-0x0000000009A30000-0x0000000009ACC000-memory.dmp

Filesize
624KB

Download
memory/3532-159-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-169-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-139-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-141-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-143-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-145-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-147-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-149-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-151-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-153-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-155-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-157-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-136-0x0000000000000000-mapping.dmp

Download
memory/3532-161-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-163-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-165-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-167-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-137-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-171-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-173-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-175-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-177-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-179-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-181-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-183-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-185-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-187-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-189-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-191-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-193-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-195-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-197-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3532-199-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download