masslogger | 198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b

Analysis

max time kernel
90s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER202.exe
Size

941KB
MD5

0a3d357409cb2337a4d533b64b8265cd
SHA1

33cd12b0333af20dcb611b1f42d6a62f8167e90b
SHA256

5f678c283847316bd366cc6a5dcd2b20072271080f493607a03ecd5d26ba65a7
SHA512

8b2f1ad1c8260e2afabf8290d680ee29249fe2edb79d7740b039729f9cc5bbd3231836ac249a206488cb375efe9c3f5979b9b1b7e30e56b19c5692365b67fb64

Score

10^/10

masslogger collection coreentity evasion rezer0 spyware stealer

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

resource	yara_rule
behavioral1/memory/1492-57-0x00000000004A0000-0x00000000004A8000-memory.dmp	coreentity

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

resource	yara_rule
behavioral1/memory/1988-64-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-65-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-66-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-67-0x00000000004A1E2E-mapping.dmp	family_masslogger
behavioral1/memory/1988-69-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-71-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-73-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-75-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-77-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-79-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-81-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-83-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-85-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-87-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-89-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-91-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-93-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-95-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-97-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-99-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-101-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-103-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-105-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-107-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-109-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-111-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-113-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-115-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-117-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-119-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-121-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1988-123-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

yara_rule
masslogger_log_file

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/1492-58-0x0000000007890000-0x000000000793E000-memory.dmp	rezer0

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 1988	1492	ORDER202.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1312	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1988	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1492	ORDER202.exe
1492	ORDER202.exe
1988	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	ORDER202.exe
Token: SeDebugPrivilege	1988	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1988	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1312	1492	ORDER202.exe	27
PID 1492 wrote to memory of 1312	1492	ORDER202.exe	27
PID 1492 wrote to memory of 1312	1492	ORDER202.exe	27
PID 1492 wrote to memory of 1312	1492	ORDER202.exe	27
PID 1492 wrote to memory of 2024	1492	ORDER202.exe	29
PID 1492 wrote to memory of 2024	1492	ORDER202.exe	29
PID 1492 wrote to memory of 2024	1492	ORDER202.exe	29
PID 1492 wrote to memory of 2024	1492	ORDER202.exe	29
PID 1492 wrote to memory of 2024	1492	ORDER202.exe	29
PID 1492 wrote to memory of 2024	1492	ORDER202.exe	29
PID 1492 wrote to memory of 2024	1492	ORDER202.exe	29
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30
PID 1492 wrote to memory of 1988	1492	ORDER202.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\ORDER202.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER202.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hkEmZYRoabC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD4A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD4A.tmp

Filesize
1KB

MD5
9d4c14cf45fc912249672eec091ecdd5

SHA1
3567289b2edd8dd4a042706710c2c7bf53a55897

SHA256
bf8d2379a38ba747abbaf150bfd8d10285069cd82e13cc8af20df78b5616304b

SHA512
20fab2e71483101a431edd47c4abae68d761149b12add0a7cf8046bd5589d9e72ed970e0e54e3c93f01b642125bd6342f19519fbe00d53136a54e71318a6fa59

Download Submit
memory/1492-54-0x0000000001020000-0x0000000001112000-memory.dmp

Filesize
968KB

Download
memory/1492-55-0x0000000000F50000-0x000000000101A000-memory.dmp

Filesize
808KB

Download
memory/1492-56-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/1492-57-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/1492-58-0x0000000007890000-0x000000000793E000-memory.dmp

Filesize
696KB

Download
memory/1988-83-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-91-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-64-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-65-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-66-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-69-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-71-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-73-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-75-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-77-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-79-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-81-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-61-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-85-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-87-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-89-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-62-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-93-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-95-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-97-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-99-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-101-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-103-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-105-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-107-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-109-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-111-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-113-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-115-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-117-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-119-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-121-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-123-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1988-571-0x0000000004C30000-0x0000000004C74000-memory.dmp

Filesize
272KB

Download