masslogger | 99d4d18e906e44d3b08aede8237928a7a6866378516bd07695f2bca4fc8a954f

General

Target

TECHNICAL SHEET.exe
Size

923KB
MD5

55126f1115a5e05fadd9d0f097273809
SHA1

f95d9e0be8191a2b3657584e5bcab782c1e36882
SHA256

d02c315a42a4a452a9e78011fbcce66f9f53bab788513d1b6f52e8fc70aa9f3c
SHA512

c2a8637b29326c90f1f8c828f7c762d9be203c1192a09f208b79c1d8627f82cd155bb5b5ac8a1ebc27338e7ff502d9f23c9b79a805e6b675afb7cd6f33585bab

Score

10^/10

masslogger collection ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 4:02:39 AM MassLogger Started: 5/21/2022 4:02:08 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:

Extracted

Credentials

Protocol: smtp
Host:
mail.mkontakt.az
Port:
587
Username:
[email protected]
Password:
Onyeoba111

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4516-138-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-140-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-142-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-144-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-146-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-148-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-150-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-152-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-154-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-156-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-158-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-160-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-162-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-164-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-166-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-168-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-170-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-172-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-174-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-176-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-178-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-180-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-182-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-184-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-186-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-188-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-190-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-192-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-194-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-196-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-198-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral4/memory/4516-200-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TECHNICAL SHEET.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	TECHNICAL SHEET.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

Processes:

TECHNICAL SHEET.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	TECHNICAL SHEET.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	TECHNICAL SHEET.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	TECHNICAL SHEET.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	TECHNICAL SHEET.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	TECHNICAL SHEET.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	TECHNICAL SHEET.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

64 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

TECHNICAL SHEET.exe

description pid process target process

PID 1180 set thread context of 4516 1180 TECHNICAL SHEET.exe TECHNICAL SHEET.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

TECHNICAL SHEET.exe

pid process

4516 TECHNICAL SHEET.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

TECHNICAL SHEET.exe

pid process

4516 TECHNICAL SHEET.exe
4516 TECHNICAL SHEET.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TECHNICAL SHEET.exe

description pid process

Token: SeDebugPrivilege 4516 TECHNICAL SHEET.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TECHNICAL SHEET.exe

pid process

4516 TECHNICAL SHEET.exe

flow	ioc
64	api.ipify.org

description	pid	process	target process
PID 1180 set thread context of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe

pid	process
4516	TECHNICAL SHEET.exe

pid	process
4516	TECHNICAL SHEET.exe
4516	TECHNICAL SHEET.exe

description	pid	process
Token: SeDebugPrivilege	4516	TECHNICAL SHEET.exe

pid	process
4516	TECHNICAL SHEET.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

TECHNICAL SHEET.exe

description	pid	process	target process
PID 1180 wrote to memory of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe
PID 1180 wrote to memory of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe
PID 1180 wrote to memory of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe
PID 1180 wrote to memory of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe
PID 1180 wrote to memory of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe
PID 1180 wrote to memory of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe
PID 1180 wrote to memory of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe
PID 1180 wrote to memory of 4516	1180	TECHNICAL SHEET.exe	TECHNICAL SHEET.exe

outlook_office_path 1 IoCs

Processes:

TECHNICAL SHEET.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe

outlook_win_path 1 IoCs

Processes:

TECHNICAL SHEET.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TECHNICAL SHEET.exe

C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\TECHNICAL SHEET.exe
"{path}"
2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TECHNICAL SHEET.exe.log
Filesize
1KB

MD5
8783efc818e6c4b08cdd7dc7e06641d0

SHA1
481a410d390aefdd28ff1bc005d1ee46e7b092f2

SHA256
735a7e96c6b2d91b062f378d14291656b72c92d36b1a21584ce5b606b4ea8572

SHA512
1d48c97192d9ca4deca93a2a62dc6230d2752b1710c95660b41e89413b9b022a0139570d946580968bd04cf48497a6dc31e25d4aca7f477525b346ab0a302d32

Download Submit
memory/1180-130-0x0000000000E20000-0x0000000000F0E000-memory.dmp

Filesize
952KB

Download
memory/1180-131-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/1180-132-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/1180-133-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/1180-134-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/1180-135-0x0000000005D80000-0x0000000005DA2000-memory.dmp

Filesize
136KB

Download
memory/1180-136-0x0000000009310000-0x00000000093AC000-memory.dmp

Filesize
624KB

Download
memory/4516-162-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-172-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-142-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-144-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-146-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-148-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-150-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-152-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-154-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-156-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-158-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-160-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-138-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-164-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-166-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-168-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-170-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-140-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-174-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-176-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-178-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-180-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-182-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-184-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-186-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-188-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-190-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-192-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-194-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-196-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-198-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-200-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4516-647-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/4516-648-0x0000000007C70000-0x0000000007CC0000-memory.dmp

Filesize
320KB

Download
memory/4516-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads