masslogger | bc501d3b47f591276bfa86741e6891f0141d5fbfa63f0f506b5eb1bb34a1c9a6

General

Target

Contract RequestPurchase Order.exe
Size

862KB
MD5

983c9501317f9b4091073e067900afb3
SHA1

62f508b5fb7e80f5b755e5c6b351d244ddfce74f
SHA256

7bb0368333b8dc8c6b4c422f11c02ec43d385547b460c2f1f8cf78013521a2f5
SHA512

b587eb07df4d9388f28764340419e7981e6b47c76e58fb26305b1c952623d05c42c4a7886ccc6c50ea57148a561f5909bf8282afb1883f253cb6eb94e179a7d0

Score

10^/10

masslogger evasion spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4512-136-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Contract RequestPurchase Order.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Contract RequestPurchase Order.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Contract RequestPurchase Order.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Contract RequestPurchase Order.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 4512	5108	Contract RequestPurchase Order.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4928	powershell.exe
4928	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	90
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	90
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	90
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	90
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	90
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	90
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	90
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	90
PID 4512 wrote to memory of 3092	4512	Contract RequestPurchase Order.exe	91
PID 4512 wrote to memory of 3092	4512	Contract RequestPurchase Order.exe	91
PID 4512 wrote to memory of 3092	4512	Contract RequestPurchase Order.exe	91
PID 3092 wrote to memory of 4928	3092	cmd.exe	93
PID 3092 wrote to memory of 4928	3092	cmd.exe	93
PID 3092 wrote to memory of 4928	3092	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Contract RequestPurchase Order.exe.log

Filesize
599B

MD5
aafc627f91117039190bb80d5076e958

SHA1
3e2b20456921ec6c2f49d4aee04096fd915d325b

SHA256
fcc0ab0ea241330be2583468f17f974fccb9a239214e7854e18f587d0ec3b87a

SHA512
5d27b432f27973691b7c7f61487d308c4b8e1c6a8b3db59e47e2de20c6d0ff12367e5b2dacaa3e6b6eb9b8192bb078b732162f803bb74ccad0391ff0d97107fb

Download Submit
memory/4512-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4928-142-0x0000000004DE0000-0x0000000004E02000-memory.dmp

Filesize
136KB

Download
memory/4928-144-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/4928-148-0x0000000006280000-0x00000000062A2000-memory.dmp

Filesize
136KB

Download
memory/4928-147-0x0000000006F20000-0x0000000006FB6000-memory.dmp

Filesize
600KB

Download
memory/4928-146-0x0000000006180000-0x000000000619A000-memory.dmp

Filesize
104KB

Download
memory/4928-140-0x0000000002350000-0x0000000002386000-memory.dmp

Filesize
216KB

Download
memory/4928-141-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/4928-145-0x0000000007500000-0x0000000007B7A000-memory.dmp

Filesize
6.5MB

Download
memory/4928-143-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/5108-134-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/5108-130-0x00000000007F0000-0x00000000008CE000-memory.dmp

Filesize
888KB

Download
memory/5108-131-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/5108-132-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/5108-133-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads