masslogger | bc501d3b47f591276bfa86741e6891f0141d5fbfa63f0f506b5eb1bb34a1c9a6

General

Target

Contract RequestPurchase Order.exe
Size

862KB
MD5

983c9501317f9b4091073e067900afb3
SHA1

62f508b5fb7e80f5b755e5c6b351d244ddfce74f
SHA256

7bb0368333b8dc8c6b4c422f11c02ec43d385547b460c2f1f8cf78013521a2f5
SHA512

b587eb07df4d9388f28764340419e7981e6b47c76e58fb26305b1c952623d05c42c4a7886ccc6c50ea57148a561f5909bf8282afb1883f253cb6eb94e179a7d0

Score

10^/10

masslogger evasion spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4512-136-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Contract RequestPurchase Order.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Contract RequestPurchase Order.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Contract RequestPurchase Order.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Contract RequestPurchase Order.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Contract RequestPurchase Order.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Contract RequestPurchase Order.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Contract RequestPurchase Order.exe

description pid process target process

PID 5108 set thread context of 4512 5108 Contract RequestPurchase Order.exe Contract RequestPurchase Order.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4928 powershell.exe
4928 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4928 powershell.exe

description	pid	process	target process
PID 5108 set thread context of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe

pid	process
4928	powershell.exe
4928	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4928	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Contract RequestPurchase Order.exeContract RequestPurchase Order.execmd.exe

description	pid	process	target process
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe
PID 5108 wrote to memory of 4512	5108	Contract RequestPurchase Order.exe	Contract RequestPurchase Order.exe
PID 4512 wrote to memory of 3092	4512	Contract RequestPurchase Order.exe	cmd.exe
PID 4512 wrote to memory of 3092	4512	Contract RequestPurchase Order.exe	cmd.exe
PID 4512 wrote to memory of 3092	4512	Contract RequestPurchase Order.exe	cmd.exe
PID 3092 wrote to memory of 4928	3092	cmd.exe	powershell.exe
PID 3092 wrote to memory of 4928	3092	cmd.exe	powershell.exe
PID 3092 wrote to memory of 4928	3092	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Contract RequestPurchase Order.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Contract RequestPurchase Order.exe.log
Filesize
599B

MD5
aafc627f91117039190bb80d5076e958

SHA1
3e2b20456921ec6c2f49d4aee04096fd915d325b

SHA256
fcc0ab0ea241330be2583468f17f974fccb9a239214e7854e18f587d0ec3b87a

SHA512
5d27b432f27973691b7c7f61487d308c4b8e1c6a8b3db59e47e2de20c6d0ff12367e5b2dacaa3e6b6eb9b8192bb078b732162f803bb74ccad0391ff0d97107fb

Download Submit
memory/3092-138-0x0000000000000000-mapping.dmp

Download
memory/4512-135-0x0000000000000000-mapping.dmp

Download
memory/4512-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4928-142-0x0000000004DE0000-0x0000000004E02000-memory.dmp

Filesize
136KB

Download
memory/4928-144-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/4928-148-0x0000000006280000-0x00000000062A2000-memory.dmp

Filesize
136KB

Download
memory/4928-147-0x0000000006F20000-0x0000000006FB6000-memory.dmp

Filesize
600KB

Download
memory/4928-146-0x0000000006180000-0x000000000619A000-memory.dmp

Filesize
104KB

Download
memory/4928-139-0x0000000000000000-mapping.dmp

Download
memory/4928-140-0x0000000002350000-0x0000000002386000-memory.dmp

Filesize
216KB

Download
memory/4928-141-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/4928-145-0x0000000007500000-0x0000000007B7A000-memory.dmp

Filesize
6.5MB

Download
memory/4928-143-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/5108-134-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/5108-130-0x00000000007F0000-0x00000000008CE000-memory.dmp

Filesize
888KB

Download
memory/5108-131-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/5108-132-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/5108-133-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads