masslogger | 02d1bdc78c4558d0b4c573056b3828e82bc4b008832b29a43c66817459fe4bcc

General

Target

Order Inquiry List.exe
Size

1.1MB
MD5

5a82e2c1d04b28f1d1c7861b231ccfce
SHA1

39adba5bb7a9585d50993a6264f05aecafcd0a92
SHA256

77edc9558f41f26d6b1586ca2fea51861a67de17a50f9494090070285e1f0c43
SHA512

b32280588cbb9e128ba84c800252edca5736c714ff90d9f710ab684537621c99e63c2e4fe41f36c3313098f20d710661b483bdfbd5e35dbc4410d4bcc339f1ba

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4188-137-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 4188	4768	Order Inquiry List.exe	87

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4188	Order Inquiry List.exe
4188	Order Inquiry List.exe
4572	powershell.exe
4572	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	Order Inquiry List.exe
Token: SeDebugPrivilege	4572	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4188	4768	Order Inquiry List.exe	87
PID 4768 wrote to memory of 4188	4768	Order Inquiry List.exe	87
PID 4768 wrote to memory of 4188	4768	Order Inquiry List.exe	87
PID 4768 wrote to memory of 4188	4768	Order Inquiry List.exe	87
PID 4768 wrote to memory of 4188	4768	Order Inquiry List.exe	87
PID 4768 wrote to memory of 4188	4768	Order Inquiry List.exe	87
PID 4768 wrote to memory of 4188	4768	Order Inquiry List.exe	87
PID 4768 wrote to memory of 4188	4768	Order Inquiry List.exe	87
PID 4188 wrote to memory of 220	4188	Order Inquiry List.exe	88
PID 4188 wrote to memory of 220	4188	Order Inquiry List.exe	88
PID 4188 wrote to memory of 220	4188	Order Inquiry List.exe	88
PID 220 wrote to memory of 4572	220	cmd.exe	90
PID 220 wrote to memory of 4572	220	cmd.exe	90
PID 220 wrote to memory of 4572	220	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
  "C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Inquiry List.exe.log

Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
memory/4188-138-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/4188-137-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4572-145-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/4572-146-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/4572-150-0x0000000006990000-0x00000000069B2000-memory.dmp

Filesize
136KB

Download
memory/4572-149-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/4572-148-0x00000000068D0000-0x00000000068EA000-memory.dmp

Filesize
104KB

Download
memory/4572-147-0x0000000007C40000-0x00000000082BA000-memory.dmp

Filesize
6.5MB

Download
memory/4572-142-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

Filesize
216KB

Download
memory/4572-143-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/4572-144-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

Filesize
136KB

Download
memory/4768-132-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/4768-130-0x00000000009A0000-0x0000000000ACC000-memory.dmp

Filesize
1.2MB

Download
memory/4768-131-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download
memory/4768-135-0x00000000056F0000-0x0000000005746000-memory.dmp

Filesize
344KB

Download
memory/4768-133-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/4768-134-0x00000000054F0000-0x00000000054FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing