masslogger | 889f57e4c5200656ce7a7b9c60157870771a3567430dd3cbb6093200a07d8e80

General

Target

ORDEN DE COMPRA-pdf.exe
Size

1.4MB
MD5

a7e8bdffb98b0c316a43db5c2f0cd2ab
SHA1

e95f026dc654ce2f2af9fd7ffb5d03215c45f6db
SHA256

e16f2a118c2150aaa6ac8c5587737557e6abc4ba57023a78644634eac9fbf696
SHA512

58bf7b00febc521fb27a4a05ebd1e19d078081843b1aced48b0033433d1ccf0bce4e4d10d69cb80b31ced494b9799b1e018f6e67f316f54b9ec46bf8a1fb8272

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 2 IoCs

resource	yara_rule
behavioral2/memory/60-130-0x00000000007C0000-0x0000000000928000-memory.dmp	family_masslogger
behavioral2/memory/5028-137-0x0000000000550000-0x0000000000608000-memory.dmp	family_masslogger

Executes dropped EXE 1 IoCs

pid	Process
5028	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 60 set thread context of 5028	60	ORDEN DE COMPRA-pdf.exe	78

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
60	ORDEN DE COMPRA-pdf.exe
60	ORDEN DE COMPRA-pdf.exe
60	ORDEN DE COMPRA-pdf.exe
5028	RegAsm.exe
5028	RegAsm.exe
1188	powershell.exe
1188	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	ORDEN DE COMPRA-pdf.exe
Token: SeDebugPrivilege	5028	RegAsm.exe
Token: SeDebugPrivilege	1188	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 5028	60	ORDEN DE COMPRA-pdf.exe	78
PID 60 wrote to memory of 5028	60	ORDEN DE COMPRA-pdf.exe	78
PID 60 wrote to memory of 5028	60	ORDEN DE COMPRA-pdf.exe	78
PID 60 wrote to memory of 5028	60	ORDEN DE COMPRA-pdf.exe	78
PID 60 wrote to memory of 5028	60	ORDEN DE COMPRA-pdf.exe	78
PID 60 wrote to memory of 5028	60	ORDEN DE COMPRA-pdf.exe	78
PID 60 wrote to memory of 5028	60	ORDEN DE COMPRA-pdf.exe	78
PID 60 wrote to memory of 5028	60	ORDEN DE COMPRA-pdf.exe	78
PID 5028 wrote to memory of 4324	5028	RegAsm.exe	79
PID 5028 wrote to memory of 4324	5028	RegAsm.exe	79
PID 5028 wrote to memory of 4324	5028	RegAsm.exe	79
PID 4324 wrote to memory of 1188	4324	cmd.exe	81
PID 4324 wrote to memory of 1188	4324	cmd.exe	81
PID 4324 wrote to memory of 1188	4324	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA-pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RegAsm.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\RegAsm.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/60-131-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/60-132-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/60-130-0x00000000007C0000-0x0000000000928000-memory.dmp

Filesize
1.4MB

Download
memory/1188-146-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/1188-150-0x00000000066F0000-0x0000000006712000-memory.dmp

Filesize
136KB

Download
memory/1188-149-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/1188-148-0x00000000066A0000-0x00000000066BA000-memory.dmp

Filesize
104KB

Download
memory/1188-147-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/1188-142-0x0000000002870000-0x00000000028A6000-memory.dmp

Filesize
216KB

Download
memory/1188-143-0x0000000005390000-0x00000000059B8000-memory.dmp

Filesize
6.2MB

Download
memory/1188-144-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/1188-145-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/5028-137-0x0000000000550000-0x0000000000608000-memory.dmp

Filesize
736KB

Download
memory/5028-139-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/5028-138-0x0000000004B40000-0x0000000004BDC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing