masslogger | eccaaee0026c308466b2e577ed5f1a7686aa1b8a46db53d948f37512ae78a508

General

Target

Order Inquiry List.exe
Size

1.2MB
MD5

4c812fc87fce65e0cb5011a55b453200
SHA1

6a92d646c4858b718b10bbd2a5a41faab41a25a9
SHA256

ea23ee7d6471b33c86c5eac4f96c09f060aaf5fcb7847b4ebc386a16871ee64c
SHA512

32360dbfc573335d91f8b5a67dce3830ee72614d342ff4b717924393af3bbc0d0e0d009d4baec786fadaf3c5d6e2782b1fc01368b96a4344803b1943222c1ba9

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4480-137-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 4480	1092	Order Inquiry List.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4480	Order Inquiry List.exe
4480	Order Inquiry List.exe
1200	powershell.exe
1200	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	Order Inquiry List.exe
Token: SeDebugPrivilege	1200	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 4480	1092	Order Inquiry List.exe	83
PID 1092 wrote to memory of 4480	1092	Order Inquiry List.exe	83
PID 1092 wrote to memory of 4480	1092	Order Inquiry List.exe	83
PID 1092 wrote to memory of 4480	1092	Order Inquiry List.exe	83
PID 1092 wrote to memory of 4480	1092	Order Inquiry List.exe	83
PID 1092 wrote to memory of 4480	1092	Order Inquiry List.exe	83
PID 1092 wrote to memory of 4480	1092	Order Inquiry List.exe	83
PID 1092 wrote to memory of 4480	1092	Order Inquiry List.exe	83
PID 4480 wrote to memory of 980	4480	Order Inquiry List.exe	88
PID 4480 wrote to memory of 980	4480	Order Inquiry List.exe	88
PID 4480 wrote to memory of 980	4480	Order Inquiry List.exe	88
PID 980 wrote to memory of 1200	980	cmd.exe	90
PID 980 wrote to memory of 1200	980	cmd.exe	90
PID 980 wrote to memory of 1200	980	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe
  "C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order Inquiry List.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Inquiry List.exe.log

Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
memory/1092-135-0x0000000004E20000-0x0000000004E76000-memory.dmp

Filesize
344KB

Download
memory/1092-132-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/1092-134-0x0000000004B50000-0x0000000004B5A000-memory.dmp

Filesize
40KB

Download
memory/1092-130-0x0000000000080000-0x00000000001B8000-memory.dmp

Filesize
1.2MB

Download
memory/1092-133-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/1092-131-0x0000000004B90000-0x0000000004C2C000-memory.dmp

Filesize
624KB

Download
memory/1200-145-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/1200-142-0x0000000002740000-0x0000000002776000-memory.dmp

Filesize
216KB

Download
memory/1200-143-0x00000000051C0000-0x00000000057E8000-memory.dmp

Filesize
6.2MB

Download
memory/1200-144-0x00000000057F0000-0x0000000005812000-memory.dmp

Filesize
136KB

Download
memory/1200-146-0x0000000006070000-0x000000000608E000-memory.dmp

Filesize
120KB

Download
memory/1200-147-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/1200-148-0x0000000006550000-0x000000000656A000-memory.dmp

Filesize
104KB

Download
memory/1200-149-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/1200-150-0x0000000006630000-0x0000000006652000-memory.dmp

Filesize
136KB

Download
memory/4480-139-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/4480-137-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing