masslogger | 98b94a69e5bbb73e9ed6c65f1aa949b50ecb4e3b779316fe09f6b80a7f4614e9

General

Target

PO__3048.exe
Size

1.3MB
MD5

e1b530b53135e5f15c6ee5e07818d3dd
SHA1

867fc34d7cb6c28838ec7210a51064e39e7b573a
SHA256

291acc1800bb543e73f85a5ec925fba62d9af86f75091fd7993c20d4fe78e22c
SHA512

ed3ca3b5c6d257cc5ba2a2f59dbde002c37c1f1b45f5e5a241bff0dedf7cef8ad501b6c0569967390248534a1b13d1e851875ce118cad92182cdd2bf1c31bd15

Score

10^/10

masslogger collection ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\2EF8342664\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 3:06:48 PM MassLogger Started: 5/21/2022 3:06:45 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe MassLogger Melt: true MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2712-130-0x00000000001E0000-0x0000000000332000-memory.dmp	family_masslogger
behavioral2/memory/3476-136-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-140-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-142-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-144-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-146-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-148-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-150-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-152-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-154-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-156-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-158-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-160-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-162-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-164-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-166-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-168-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-170-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-172-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-174-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-176-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-178-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-180-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-182-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-184-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-186-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-188-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-190-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-192-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-194-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-196-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-198-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/3476-200-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger

MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

3476 AddInProcess32.exe

yara_rule
masslogger_log_file

pid	process
3476	AddInProcess32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AddInProcess32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	AddInProcess32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs

collection

Email Collection

T1114

Processes:

AddInProcess32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	AddInProcess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	AddInProcess32.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	AddInProcess32.exe
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	AddInProcess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO__3048.exe

description pid process target process

PID 2712 set thread context of 3476 2712 PO__3048.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PO__3048.exeAddInProcess32.exepowershell.exe

pid process

2712 PO__3048.exe
2712 PO__3048.exe
2712 PO__3048.exe
3476 AddInProcess32.exe
4476 powershell.exe
4476 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO__3048.exeAddInProcess32.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2712 PO__3048.exe
Token: SeDebugPrivilege 3476 AddInProcess32.exe
Token: SeDebugPrivilege 4476 powershell.exe

flow	ioc
25	api.ipify.org

description	pid	process	target process
PID 2712 set thread context of 3476	2712	PO__3048.exe	AddInProcess32.exe

pid	process
2712	PO__3048.exe
2712	PO__3048.exe
2712	PO__3048.exe
3476	AddInProcess32.exe
4476	powershell.exe
4476	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2712	PO__3048.exe
Token: SeDebugPrivilege	3476	AddInProcess32.exe
Token: SeDebugPrivilege	4476	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO__3048.exeAddInProcess32.execmd.exe

description	pid	process	target process
PID 2712 wrote to memory of 3476	2712	PO__3048.exe	AddInProcess32.exe
PID 2712 wrote to memory of 3476	2712	PO__3048.exe	AddInProcess32.exe
PID 2712 wrote to memory of 3476	2712	PO__3048.exe	AddInProcess32.exe
PID 2712 wrote to memory of 3476	2712	PO__3048.exe	AddInProcess32.exe
PID 2712 wrote to memory of 3476	2712	PO__3048.exe	AddInProcess32.exe
PID 2712 wrote to memory of 3476	2712	PO__3048.exe	AddInProcess32.exe
PID 2712 wrote to memory of 3476	2712	PO__3048.exe	AddInProcess32.exe
PID 2712 wrote to memory of 3476	2712	PO__3048.exe	AddInProcess32.exe
PID 3476 wrote to memory of 4496	3476	AddInProcess32.exe	cmd.exe
PID 3476 wrote to memory of 4496	3476	AddInProcess32.exe	cmd.exe
PID 3476 wrote to memory of 4496	3476	AddInProcess32.exe	cmd.exe
PID 4496 wrote to memory of 4476	4496	cmd.exe	powershell.exe
PID 4496 wrote to memory of 4476	4496	cmd.exe	powershell.exe
PID 4496 wrote to memory of 4476	4496	cmd.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

outlook_win_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\PO__3048.exe
"C:\Users\Admin\AppData\Local\Temp\PO__3048.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3476

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
memory/2712-130-0x00000000001E0000-0x0000000000332000-memory.dmp

Filesize
1.3MB

Download
memory/2712-131-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/2712-132-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/2712-133-0x0000000004FE0000-0x0000000005024000-memory.dmp

Filesize
272KB

Download
memory/2712-134-0x0000000006860000-0x0000000006882000-memory.dmp

Filesize
136KB

Download
memory/3476-135-0x0000000000000000-mapping.dmp

Download
memory/3476-136-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-140-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-142-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-144-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-146-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-148-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-150-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-152-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-154-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-156-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-158-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-160-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-162-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-164-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-166-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-168-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-170-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-172-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-174-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-176-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-178-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-180-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-182-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-184-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-186-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-188-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-190-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-192-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-194-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-196-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-198-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-200-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3476-647-0x0000000005710000-0x00000000057AC000-memory.dmp

Filesize
624KB

Download
memory/3476-648-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3476-649-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/3476-650-0x0000000007040000-0x0000000007090000-memory.dmp

Filesize
320KB

Download
memory/4476-652-0x0000000000000000-mapping.dmp

Download
memory/4476-653-0x0000000000EA0000-0x0000000000ED6000-memory.dmp

Filesize
216KB

Download
memory/4476-654-0x0000000004EE0000-0x0000000005508000-memory.dmp

Filesize
6.2MB

Download
memory/4476-655-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/4476-656-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/4476-657-0x0000000007480000-0x0000000007AFA000-memory.dmp

Filesize
6.5MB

Download
memory/4476-658-0x0000000006130000-0x000000000614A000-memory.dmp

Filesize
104KB

Download
memory/4476-659-0x0000000006EA0000-0x0000000006F36000-memory.dmp

Filesize
600KB

Download
memory/4476-660-0x00000000061E0000-0x0000000006202000-memory.dmp

Filesize
136KB

Download
memory/4496-651-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads