masslogger | b51aa46feaf11911b980427b7dcb749d154bac7ccdf88b9091dc28a70e428ccc

General

Target

IMG_6190.scr
Size

732KB
MD5

471c9316ed12a0bd184ac4b4f58a6c46
SHA1

5e94a2f8fdfef1c75298e9b110419c7dc4075bbd
SHA256

b1bbfa891537ee3acffe84ec8a7ebd4537170218372be4727d74c6c31ee4a546
SHA512

32a3d4b514142f5204dfcb4dba5bfed6b2e177bd950024965a4f51bf9bcb1c617e73a61a28e3665f2e06e23dfe99a0f06e9d22e913db669f77e18934b0c6fe60

Score

10^/10

masslogger ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8236ADF044\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:07:20 PM MassLogger Started: 5/21/2022 3:06:43 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\IMG_6190.scr As Administrator: True

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4520-136-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-138-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-140-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-142-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-144-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-146-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-148-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-150-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-152-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-154-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-156-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-158-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-160-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-162-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-164-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-166-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-168-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-170-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-172-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-174-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-176-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-178-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-180-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-182-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-184-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-186-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-188-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-190-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-192-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-194-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-196-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger
behavioral2/memory/4520-198-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IMG_6190.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	IMG_6190.scr

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG_6190.scr

description pid process target process

PID 2332 set thread context of 4520 2332 IMG_6190.scr IMG_6190.scr
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3816 4520 WerFault.exe IMG_6190.scr
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

IMG_6190.scr

description pid process

Token: SeDebugPrivilege 4520 IMG_6190.scr

flow	ioc
46	api.ipify.org

description	pid	process	target process
PID 2332 set thread context of 4520	2332	IMG_6190.scr	IMG_6190.scr

pid	pid_target	process	target process
3816	4520	WerFault.exe	IMG_6190.scr

description	pid	process
Token: SeDebugPrivilege	4520	IMG_6190.scr

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

IMG_6190.scr

description	pid	process	target process
PID 2332 wrote to memory of 4520	2332	IMG_6190.scr	IMG_6190.scr
PID 2332 wrote to memory of 4520	2332	IMG_6190.scr	IMG_6190.scr
PID 2332 wrote to memory of 4520	2332	IMG_6190.scr	IMG_6190.scr
PID 2332 wrote to memory of 4520	2332	IMG_6190.scr	IMG_6190.scr
PID 2332 wrote to memory of 4520	2332	IMG_6190.scr	IMG_6190.scr
PID 2332 wrote to memory of 4520	2332	IMG_6190.scr	IMG_6190.scr
PID 2332 wrote to memory of 4520	2332	IMG_6190.scr	IMG_6190.scr
PID 2332 wrote to memory of 4520	2332	IMG_6190.scr	IMG_6190.scr

C:\Users\Admin\AppData\Local\Temp\IMG_6190.scr
"C:\Users\Admin\AppData\Local\Temp\IMG_6190.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\IMG_6190.scr
"C:\Users\Admin\AppData\Local\Temp\IMG_6190.scr"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 1796
3⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4520 -ip 4520
1⤵
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2332-130-0x0000000000530000-0x00000000005EE000-memory.dmp

Filesize
760KB

Download
memory/2332-131-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/2332-132-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/2332-133-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/2332-134-0x0000000008A90000-0x0000000008B2C000-memory.dmp

Filesize
624KB

Download
memory/4520-135-0x0000000000000000-mapping.dmp

Download
memory/4520-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-138-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-140-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-142-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-144-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-146-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-148-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-150-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-152-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-154-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-156-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-158-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-160-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-162-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-164-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-166-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-168-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-170-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-172-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-174-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-176-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-178-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-180-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-182-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-184-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-186-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-188-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-190-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-192-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-194-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-196-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-198-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4520-641-0x0000000006490000-0x00000000064F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads