masslogger | 198f0de0ad9295ded03239d689b9a6e64ce4d694dfdfd27bc002230d1886e38b

General

Target

ORDER202.exe
Size

941KB
MD5

0a3d357409cb2337a4d533b64b8265cd
SHA1

33cd12b0333af20dcb611b1f42d6a62f8167e90b
SHA256

5f678c283847316bd366cc6a5dcd2b20072271080f493607a03ecd5d26ba65a7
SHA512

8b2f1ad1c8260e2afabf8290d680ee29249fe2edb79d7740b039729f9cc5bbd3231836ac249a206488cb375efe9c3f5979b9b1b7e30e56b19c5692365b67fb64

Score

10^/10

masslogger collection evasion spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4740-139-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-141-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-143-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-145-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-147-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-149-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-151-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-153-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-155-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-157-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-159-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-161-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-165-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-163-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-167-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-169-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-171-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-173-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-175-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-177-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-179-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-181-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-183-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-185-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-187-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-189-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-191-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-193-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-195-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-197-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-199-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral2/memory/4740-201-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ORDER202.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ORDER202.exe

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDER202.exe

description pid process target process

PID 4828 set thread context of 4740 4828 ORDER202.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2088 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

RegSvcs.exe

pid process

4740 RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ORDER202.exeRegSvcs.exe

pid process

4828 ORDER202.exe
4828 ORDER202.exe
4740 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER202.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4828 ORDER202.exe
Token: SeDebugPrivilege 4740 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

4740 RegSvcs.exe

flow	ioc
39	api.ipify.org

description	pid	process	target process
PID 4828 set thread context of 4740	4828	ORDER202.exe	RegSvcs.exe

pid	process
2088	schtasks.exe

pid	process
4740	RegSvcs.exe

pid	process
4828	ORDER202.exe
4828	ORDER202.exe
4740	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4828	ORDER202.exe
Token: SeDebugPrivilege	4740	RegSvcs.exe

pid	process
4740	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ORDER202.exe

description	pid	process	target process
PID 4828 wrote to memory of 2088	4828	ORDER202.exe	schtasks.exe
PID 4828 wrote to memory of 2088	4828	ORDER202.exe	schtasks.exe
PID 4828 wrote to memory of 2088	4828	ORDER202.exe	schtasks.exe
PID 4828 wrote to memory of 2196	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 2196	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 2196	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	RegSvcs.exe
PID 4828 wrote to memory of 4740	4828	ORDER202.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\ORDER202.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER202.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hkEmZYRoabC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F3E.tmp"
2⤵
- Creates scheduled task(s)
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hidden Files and Directories

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2F3E.tmp
Filesize
1KB

MD5
5f3b8012c2dac08869c4241594b55fa2

SHA1
d7bb06856c8561fd3d9b93700f877e30634d1002

SHA256
17505127dd776ded11e44ce620c99366e897bdcd49a3f27f1ed8214e216dfe80

SHA512
0cf4b0474c04641adf32697a9acee849ea54a9872a2b9b805ac11508c3a824896c838833b91fc779f95bbd21dfcc053ee91252938ab5abc2f027af1960b7752c

Download Submit
memory/2088-135-0x0000000000000000-mapping.dmp

Download
memory/2196-137-0x0000000000000000-mapping.dmp

Download
memory/4740-161-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-195-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-639-0x0000000006D60000-0x0000000006DB0000-memory.dmp

Filesize
320KB

Download
memory/4740-638-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4740-201-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-138-0x0000000000000000-mapping.dmp

Download
memory/4740-165-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-141-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-143-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-145-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-147-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-149-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-151-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-153-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-155-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-157-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-159-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-167-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-139-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-199-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-197-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-169-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-171-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-173-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-175-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-177-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-179-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-181-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-183-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-185-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-187-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-189-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-191-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-193-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4740-163-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4828-130-0x00000000000A0000-0x0000000000192000-memory.dmp

Filesize
968KB

Download
memory/4828-134-0x0000000009990000-0x0000000009A2C000-memory.dmp

Filesize
624KB

Download
memory/4828-131-0x0000000007670000-0x0000000007C14000-memory.dmp

Filesize
5.6MB

Download
memory/4828-132-0x0000000007160000-0x00000000071F2000-memory.dmp

Filesize
584KB

Download
memory/4828-133-0x0000000007100000-0x000000000710A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads