masslogger | 21d107d8adca406c6f56a279a78b27ca7e5732e46adfc9533be6e3190d41fd00

General

Target

Ekstre.exe
Size

1.2MB
MD5

89f1f5656da031a2efc09c53e4be99de
SHA1

889b3da7c04df4f5ada7c3ee11742854399e20b0
SHA256

18dce314a1d5ad6712fd2b1f80955c00155ec16e66e1039ac77c1849aa913577
SHA512

39b8e7b71f13e486db5032057a4d3bf9cce5ff407eda21f802d782f66e53f924e2dab3b6244341c94d7fe273643cfcd96eecf3affefca3cccfeedcf031062c81

Score

10^/10

masslogger persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1788-54-0x00000000008F0000-0x0000000000A24000-memory.dmp	family_masslogger
\Users\Admin\Desktop\.exe	family_masslogger
C:\Users\Admin\Desktop\.exe	family_masslogger
C:\Users\Admin\Desktop\.exe	family_masslogger
behavioral1/memory/432-63-0x0000000000220000-0x0000000000354000-memory.dmp	family_masslogger
behavioral1/memory/760-70-0x0000000000400000-0x000000000049A000-memory.dmp	family_masslogger
behavioral1/memory/760-71-0x0000000000400000-0x000000000049A000-memory.dmp	family_masslogger
behavioral1/memory/760-72-0x0000000000400000-0x000000000049A000-memory.dmp	family_masslogger
behavioral1/memory/760-73-0x000000000049449E-mapping.dmp	family_masslogger
behavioral1/memory/760-76-0x0000000000400000-0x000000000049A000-memory.dmp	family_masslogger
behavioral1/memory/760-78-0x0000000000400000-0x000000000049A000-memory.dmp	family_masslogger

Executes dropped EXE 2 IoCs

Processes:

.exeRegAsm.exe

pid process

432 .exe
760 RegAsm.exe
Loads dropped DLL 3 IoCs

Processes:

Ekstre.exe.exeRegAsm.exe

pid process

1788 Ekstre.exe
432 .exe
760 RegAsm.exe

pid	process
432	.exe
760	RegAsm.exe

pid	process
1788	Ekstre.exe
432	.exe
760	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\admin = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Desktop\\.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

.exe

description pid process target process

PID 432 set thread context of 760 432 .exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Ekstre.exe.exe

pid process

1788 Ekstre.exe
1788 Ekstre.exe
432 .exe
432 .exe
432 .exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Ekstre.exe.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1788 Ekstre.exe
Token: SeDebugPrivilege 432 .exe
Token: SeDebugPrivilege 760 RegAsm.exe

description	pid	process	target process
PID 432 set thread context of 760	432	.exe	RegAsm.exe

pid	process
1788	Ekstre.exe
1788	Ekstre.exe
432	.exe
432	.exe
432	.exe

description	pid	process
Token: SeDebugPrivilege	1788	Ekstre.exe
Token: SeDebugPrivilege	432	.exe
Token: SeDebugPrivilege	760	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Ekstre.execmd.exe.exe

description	pid	process	target process
PID 1788 wrote to memory of 1648	1788	Ekstre.exe	cmd.exe
PID 1788 wrote to memory of 1648	1788	Ekstre.exe	cmd.exe
PID 1788 wrote to memory of 1648	1788	Ekstre.exe	cmd.exe
PID 1788 wrote to memory of 1648	1788	Ekstre.exe	cmd.exe
PID 1648 wrote to memory of 1888	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1888	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1888	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 1888	1648	cmd.exe	reg.exe
PID 1788 wrote to memory of 432	1788	Ekstre.exe	.exe
PID 1788 wrote to memory of 432	1788	Ekstre.exe	.exe
PID 1788 wrote to memory of 432	1788	Ekstre.exe	.exe
PID 1788 wrote to memory of 432	1788	Ekstre.exe	.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe
PID 432 wrote to memory of 760	432	.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Ekstre.exe
"C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"
3⤵
- Adds Run key to start application
PID:1888

C:\Users\Admin\Desktop\.exe
"C:\Users\Admin\Desktop\.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:760

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\Desktop\.exe
Filesize
1.2MB

MD5
89f1f5656da031a2efc09c53e4be99de

SHA1
889b3da7c04df4f5ada7c3ee11742854399e20b0

SHA256
18dce314a1d5ad6712fd2b1f80955c00155ec16e66e1039ac77c1849aa913577

SHA512
39b8e7b71f13e486db5032057a4d3bf9cce5ff407eda21f802d782f66e53f924e2dab3b6244341c94d7fe273643cfcd96eecf3affefca3cccfeedcf031062c81

Download Submit
C:\Users\Admin\Desktop\.exe
Filesize
1.2MB

MD5
89f1f5656da031a2efc09c53e4be99de

SHA1
889b3da7c04df4f5ada7c3ee11742854399e20b0

SHA256
18dce314a1d5ad6712fd2b1f80955c00155ec16e66e1039ac77c1849aa913577

SHA512
39b8e7b71f13e486db5032057a4d3bf9cce5ff407eda21f802d782f66e53f924e2dab3b6244341c94d7fe273643cfcd96eecf3affefca3cccfeedcf031062c81

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\Desktop\.exe
Filesize
1.2MB

MD5
89f1f5656da031a2efc09c53e4be99de

SHA1
889b3da7c04df4f5ada7c3ee11742854399e20b0

SHA256
18dce314a1d5ad6712fd2b1f80955c00155ec16e66e1039ac77c1849aa913577

SHA512
39b8e7b71f13e486db5032057a4d3bf9cce5ff407eda21f802d782f66e53f924e2dab3b6244341c94d7fe273643cfcd96eecf3affefca3cccfeedcf031062c81

Download Submit
memory/432-63-0x0000000000220000-0x0000000000354000-memory.dmp

Filesize
1.2MB

Download
memory/432-60-0x0000000000000000-mapping.dmp

Download
memory/760-76-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/760-72-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/760-81-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/760-67-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/760-68-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/760-70-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/760-71-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/760-78-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/760-73-0x000000000049449E-mapping.dmp

Download
memory/1648-57-0x0000000000000000-mapping.dmp

Download
memory/1788-56-0x0000000000460000-0x000000000047E000-memory.dmp

Filesize
120KB

Download
memory/1788-54-0x00000000008F0000-0x0000000000A24000-memory.dmp

Filesize
1.2MB

Download
memory/1788-55-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/1888-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads