masslogger | f937625ac17370fe9bc738c7290d2186612a3a106428bb26c142848a0d949625

General

Target

Inquiry List For Quote.exe
Size

1.1MB
MD5

d5df29fc9902a2b1404d1366a945ed72
SHA1

2c98de0881f4b3ad58fd86d9e006c8902f85d486
SHA256

af568c3ddd1a373a0694029fecd3406feffc6054bd3587436f1df5681cee591d
SHA512

b1f9d1e576f1c5115cc8199e1a1b8c5a344617900c84b9c1d914a1773c759847aa7c3d6166b5fa48f8a34319cc2c39d274a263d3f845ca741bfdb16ef7bc30fa

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4784-136-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3280 set thread context of 4784	3280	Inquiry List For Quote.exe	83

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3280	Inquiry List For Quote.exe
3280	Inquiry List For Quote.exe
4784	Inquiry List For Quote.exe
4784	Inquiry List For Quote.exe
204	powershell.exe
204	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	Inquiry List For Quote.exe
Token: SeDebugPrivilege	4784	Inquiry List For Quote.exe
Token: SeDebugPrivilege	204	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 4568	3280	Inquiry List For Quote.exe	82
PID 3280 wrote to memory of 4568	3280	Inquiry List For Quote.exe	82
PID 3280 wrote to memory of 4568	3280	Inquiry List For Quote.exe	82
PID 3280 wrote to memory of 4784	3280	Inquiry List For Quote.exe	83
PID 3280 wrote to memory of 4784	3280	Inquiry List For Quote.exe	83
PID 3280 wrote to memory of 4784	3280	Inquiry List For Quote.exe	83
PID 3280 wrote to memory of 4784	3280	Inquiry List For Quote.exe	83
PID 3280 wrote to memory of 4784	3280	Inquiry List For Quote.exe	83
PID 3280 wrote to memory of 4784	3280	Inquiry List For Quote.exe	83
PID 3280 wrote to memory of 4784	3280	Inquiry List For Quote.exe	83
PID 3280 wrote to memory of 4784	3280	Inquiry List For Quote.exe	83
PID 4784 wrote to memory of 640	4784	Inquiry List For Quote.exe	87
PID 4784 wrote to memory of 640	4784	Inquiry List For Quote.exe	87
PID 4784 wrote to memory of 640	4784	Inquiry List For Quote.exe	87
PID 640 wrote to memory of 204	640	cmd.exe	89
PID 640 wrote to memory of 204	640	cmd.exe	89
PID 640 wrote to memory of 204	640	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\Inquiry List For Quote.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry List For Quote.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\Inquiry List For Quote.exe
  "C:\Users\Admin\AppData\Local\Temp\Inquiry List For Quote.exe"
  2⤵
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\Inquiry List For Quote.exe
  "C:\Users\Admin\AppData\Local\Temp\Inquiry List For Quote.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Inquiry List For Quote.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Inquiry List For Quote.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry List For Quote.exe.log

Filesize
507B

MD5
d1a92622541a19a1840491deb2bb5e6d

SHA1
5b61bb7d8973644f736968ea416ec502a0ae9bce

SHA256
3b453ecc382d28d36f2c3c33634d332f856389fc3d709e40cbe9be8076da7a3c

SHA512
c451f1b9a3dd7c9c2acb1174c0029591f60193b99c9d2712701e182f94fdc89cf93053b402b1ffc26ff5876bec38df7e105c4fe975826acdf6bd215011bcfe41

Download Submit
memory/204-145-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/204-144-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/204-149-0x0000000007950000-0x0000000007972000-memory.dmp

Filesize
136KB

Download
memory/204-148-0x00000000079F0000-0x0000000007A86000-memory.dmp

Filesize
600KB

Download
memory/204-147-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

Filesize
104KB

Download
memory/204-146-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/204-143-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/204-142-0x00000000058D0000-0x0000000005EF8000-memory.dmp

Filesize
6.2MB

Download
memory/204-141-0x00000000051A0000-0x00000000051D6000-memory.dmp

Filesize
216KB

Download
memory/3280-132-0x0000000008010000-0x00000000080AC000-memory.dmp

Filesize
624KB

Download
memory/3280-130-0x00000000008F0000-0x0000000000A12000-memory.dmp

Filesize
1.1MB

Download
memory/3280-131-0x0000000007900000-0x0000000007992000-memory.dmp

Filesize
584KB

Download
memory/3280-133-0x0000000008750000-0x0000000008CF4000-memory.dmp

Filesize
5.6MB

Download
memory/4784-138-0x0000000005210000-0x0000000005276000-memory.dmp

Filesize
408KB

Download
memory/4784-136-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing