masslogger | 945de800ae672cc44cca74776ec9b3658aaa8dd14d6fef5643f6641a618a92e4

General

Target

Order Inquiry with Design Samples.exe
Size

897KB
MD5

2ebff22a63913f818834de7c54a0e354
SHA1

89a9d6a4d974fe7cde6ec896c5dc19283b0f63f4
SHA256

2302005fdd7c57d73c350d541fd0020b051efffdf02a4f3c3e1671cacea30043
SHA512

f722929d3691cda5d078f477c6ecac777b465d0923931fcc62389a4b6b6ed1df35b6be2800ce9cf9e2c65b004adf85d7822a12c0ad07d13e6c05139c5f2c4dda

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2400-136-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

Order Inquiry with Design Samples.exe

description pid process target process

PID 3920 set thread context of 2400 3920 Order Inquiry with Design Samples.exe Order Inquiry with Design Samples.exe

description	pid	process	target process
PID 3920 set thread context of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

Order Inquiry with Design Samples.exeOrder Inquiry with Design Samples.exepowershell.exe

pid	process
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
3920	Order Inquiry with Design Samples.exe
2400	Order Inquiry with Design Samples.exe
2400	Order Inquiry with Design Samples.exe
1916	powershell.exe
1916	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Order Inquiry with Design Samples.exeOrder Inquiry with Design Samples.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3920	Order Inquiry with Design Samples.exe
Token: SeDebugPrivilege	2400	Order Inquiry with Design Samples.exe
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Order Inquiry with Design Samples.exeOrder Inquiry with Design Samples.execmd.exe

C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
2⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry with Design Samples.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1916-139-0x0000000000000000-mapping.dmp

Download
memory/1916-148-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/1916-147-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/1916-146-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

Filesize
104KB

Download
memory/1916-145-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/1916-144-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/1916-143-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/1916-140-0x0000000005180000-0x00000000051B6000-memory.dmp

Filesize
216KB

Download
memory/1916-141-0x0000000005830000-0x0000000005E58000-memory.dmp

Filesize
6.2MB

Download
memory/1916-142-0x0000000005FD0000-0x0000000005FF2000-memory.dmp

Filesize
136KB

Download
memory/2400-135-0x0000000000000000-mapping.dmp

Download
memory/2400-136-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2400-137-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/2996-134-0x0000000000000000-mapping.dmp

Download
memory/3920-130-0x0000000000110000-0x00000000001F6000-memory.dmp

Filesize
920KB

Download
memory/3920-133-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/3920-132-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/3920-131-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/5052-138-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3920 wrote to memory of 2996	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2996	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2996	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 3920 wrote to memory of 2400	3920	Order Inquiry with Design Samples.exe	Order Inquiry with Design Samples.exe
PID 2400 wrote to memory of 5052	2400	Order Inquiry with Design Samples.exe	cmd.exe
PID 2400 wrote to memory of 5052	2400	Order Inquiry with Design Samples.exe	cmd.exe
PID 2400 wrote to memory of 5052	2400	Order Inquiry with Design Samples.exe	cmd.exe
PID 5052 wrote to memory of 1916	5052	cmd.exe	powershell.exe
PID 5052 wrote to memory of 1916	5052	cmd.exe	powershell.exe
PID 5052 wrote to memory of 1916	5052	cmd.exe	powershell.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads