masslogger | a30b832b57390359990b3c114f97974d079c77c9a94d77c809d250cc56dfa70c

General

Target

PO#052620.exe
Size

916KB
MD5

6b9b5794e44f69ab2773ce2799463454
SHA1

5ae3669ecff1e3de5569d81a0c4bae495e4be457
SHA256

9c5b8535e2ac554768c5cfc3d655a3aed7647fe2280e66161a516296eb5a5918
SHA512

b5d666a93bd724e010fc63f5d70078c54a7a8bebf6aab647ad2a49d049d99703ac14ba2b7fe408632eef308d85af5b2725e89c18e193f2966ff0cb1b72460731

Score

10^/10

masslogger collection coreentity ransomware rezer0 spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.3.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:31:14 PM MassLogger Started: 5/21/2022 2:30:43 PM Interval: 2 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe As Administrator: True

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
don8@intarscan.org
Password:
?qlva43X~o%I

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1880-56-0x0000000000360000-0x0000000000368000-memory.dmp	coreentity

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 32 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1124-61-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-62-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-63-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-64-0x00000000004A1A2E-mapping.dmp	family_masslogger
behavioral1/memory/1124-66-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-68-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-70-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-72-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-74-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-76-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-78-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-80-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-82-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-84-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-86-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-88-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-90-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-92-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-94-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-96-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-98-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-100-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-102-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-104-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-106-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-108-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-110-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-112-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-114-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-116-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-118-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger
behavioral1/memory/1124-120-0x0000000000400000-0x00000000004A6000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1880-57-0x00000000081F0000-0x000000000829E000-memory.dmp	rezer0

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO#052620.exe

description pid process target process

PID 1880 set thread context of 1124 1880 PO#052620.exe RegSvcs.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

RegSvcs.exe

pid process

1124 RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PO#052620.exeRegSvcs.exe

pid process

1880 PO#052620.exe
1124 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO#052620.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1880 PO#052620.exe
Token: SeDebugPrivilege 1124 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1124 RegSvcs.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1880 set thread context of 1124	1880	PO#052620.exe	RegSvcs.exe

pid	process
1124	RegSvcs.exe

pid	process
1880	PO#052620.exe
1124	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1880	PO#052620.exe
Token: SeDebugPrivilege	1124	RegSvcs.exe

pid	process
1124	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO#052620.exe

description	pid	process	target process
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe
PID 1880 wrote to memory of 1124	1880	PO#052620.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\PO#052620.exe
"C:\Users\Admin\AppData\Local\Temp\PO#052620.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-82-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-112-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-576-0x0000000004EB0000-0x0000000004EF4000-memory.dmp

Filesize
272KB

Download
memory/1124-118-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-58-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-59-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-61-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-62-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-63-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-64-0x00000000004A1A2E-mapping.dmp

Download
memory/1124-66-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-68-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-70-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-86-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-74-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-76-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-78-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-80-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-120-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-116-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-72-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-88-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-90-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-92-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-94-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-96-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-98-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-100-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-102-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-104-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-106-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-108-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-110-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-84-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1124-114-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1880-55-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1880-57-0x00000000081F0000-0x000000000829E000-memory.dmp

Filesize
696KB

Download
memory/1880-54-0x0000000000830000-0x000000000091C000-memory.dmp

Filesize
944KB

Download
memory/1880-56-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads