masslogger | 3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433

Analysis

max time kernel
139s
max time network
122s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
Size

1.4MB
MD5

821769527b184bdc553c49a114feae97
SHA1

7363adbd9290aaf84ebbf2dd1a5c0f1b13a01e7c
SHA256

3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433
SHA512

d660960cca6102686618554197cb9b1f50657f5acff35dbc2fe42a0f05f787ca46d6c1dd27ed158b612d241da54c442c692c0fa39901fd921753fc47b943b992

Score

10^/10

masslogger agilenet ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3B8E3C2477\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/25/2022 1:35:40 AM MassLogger Started: 5/25/2022 1:35:32 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe MassLogger Melt: true MassLogger Exit after delivery: false As Administrator: True Processes:

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

yara_rule
masslogger_log_file

Executes dropped EXE 1 IoCs

pid	Process
1216	vlcUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe

Loads dropped DLL 1 IoCs

pid	Process
1488	cmd.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1928-56-0x0000000000460000-0x000000000046A000-memory.dmp	agile_net

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
944	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1700	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
1632	powershell.exe
1216	vlcUpdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
Token: SeDebugPrivilege	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
Token: SeDebugPrivilege	1216	vlcUpdate.exe
Token: SeDebugPrivilege	1632	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1928 wrote to memory of 1876	1928	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	28
PID 1876 wrote to memory of 2024	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	30
PID 1876 wrote to memory of 2024	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	30
PID 1876 wrote to memory of 2024	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	30
PID 1876 wrote to memory of 2024	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	30
PID 2024 wrote to memory of 1632	2024	cmd.exe	32
PID 2024 wrote to memory of 1632	2024	cmd.exe	32
PID 2024 wrote to memory of 1632	2024	cmd.exe	32
PID 2024 wrote to memory of 1632	2024	cmd.exe	32
PID 1876 wrote to memory of 1416	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	33
PID 1876 wrote to memory of 1416	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	33
PID 1876 wrote to memory of 1416	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	33
PID 1876 wrote to memory of 1416	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	33
PID 1876 wrote to memory of 1488	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	35
PID 1876 wrote to memory of 1488	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	35
PID 1876 wrote to memory of 1488	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	35
PID 1876 wrote to memory of 1488	1876	3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe	35
PID 1416 wrote to memory of 944	1416	cmd.exe	37
PID 1416 wrote to memory of 944	1416	cmd.exe	37
PID 1416 wrote to memory of 944	1416	cmd.exe	37
PID 1416 wrote to memory of 944	1416	cmd.exe	37
PID 1488 wrote to memory of 1700	1488	cmd.exe	38
PID 1488 wrote to memory of 1700	1488	cmd.exe	38
PID 1488 wrote to memory of 1700	1488	cmd.exe	38
PID 1488 wrote to memory of 1700	1488	cmd.exe	38
PID 1488 wrote to memory of 1216	1488	cmd.exe	39
PID 1488 wrote to memory of 1216	1488	cmd.exe	39
PID 1488 wrote to memory of 1216	1488	cmd.exe	39
PID 1488 wrote to memory of 1216	1488	cmd.exe	39
PID 1488 wrote to memory of 1216	1488	cmd.exe	39
PID 1488 wrote to memory of 1216	1488	cmd.exe	39
PID 1488 wrote to memory of 1216	1488	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
"C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe
  "C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlcUpdate.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN1\vlcUpdate.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn vlcUpdate.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN1\vlcUpdate.exe"'
      4⤵
      Creates scheduled task(s)
      PID:944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB9FD.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1700
  - - C:\Users\Admin\AppData\Roaming\VideoLAN1\vlcUpdate.exe
      "C:\Users\Admin\AppData\Roaming\VideoLAN1\vlcUpdate.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB9FD.tmp.bat

Filesize
163B

MD5
7a2a15f5cfdc1166cf096cf0d785aaee

SHA1
6ed45e6e54324c4a21b1f2a88c0cffabaea7fd28

SHA256
f515ffc8c45862082736dfcd070cc08d971c480cde44f981671199422da0fe99

SHA512
f97a6189639436d3b36e5ee0dd0da93956a5c8b9d31e8c435972973e0191409558d8d2d31a0163a898c59af3bd67f446f94447497158bfb147b74126f429fd77

Download Submit
C:\Users\Admin\AppData\Roaming\VideoLAN1\vlcUpdate.exe

Filesize
1.4MB

MD5
821769527b184bdc553c49a114feae97

SHA1
7363adbd9290aaf84ebbf2dd1a5c0f1b13a01e7c

SHA256
3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433

SHA512
d660960cca6102686618554197cb9b1f50657f5acff35dbc2fe42a0f05f787ca46d6c1dd27ed158b612d241da54c442c692c0fa39901fd921753fc47b943b992

Download Submit
C:\Users\Admin\AppData\Roaming\VideoLAN1\vlcUpdate.exe

Filesize
1.4MB

MD5
821769527b184bdc553c49a114feae97

SHA1
7363adbd9290aaf84ebbf2dd1a5c0f1b13a01e7c

SHA256
3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433

SHA512
d660960cca6102686618554197cb9b1f50657f5acff35dbc2fe42a0f05f787ca46d6c1dd27ed158b612d241da54c442c692c0fa39901fd921753fc47b943b992

Download Submit
\Users\Admin\AppData\Roaming\VideoLAN1\vlcUpdate.exe

Filesize
1.4MB

MD5
821769527b184bdc553c49a114feae97

SHA1
7363adbd9290aaf84ebbf2dd1a5c0f1b13a01e7c

SHA256
3a47baed5678bc0b96f23641c4bd0ca1585f393979b7dd3072aad6fe03c2a433

SHA512
d660960cca6102686618554197cb9b1f50657f5acff35dbc2fe42a0f05f787ca46d6c1dd27ed158b612d241da54c442c692c0fa39901fd921753fc47b943b992

Download Submit
memory/1216-592-0x0000000000240000-0x00000000003A8000-memory.dmp

Filesize
1.4MB

Download
memory/1632-593-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-102-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-84-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-88-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-100-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-106-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-114-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-122-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-120-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-118-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-116-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-112-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-110-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-108-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-104-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-76-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-98-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-96-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-94-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-92-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-90-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-86-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-82-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-80-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-577-0x00000000003C0000-0x0000000000404000-memory.dmp

Filesize
272KB

Download
memory/1876-58-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-59-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-62-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-74-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-72-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-70-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-585-0x0000000005225000-0x0000000005236000-memory.dmp

Filesize
68KB

Download
memory/1876-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-66-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1876-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1928-57-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1928-56-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/1928-55-0x0000000000280000-0x000000000029E000-memory.dmp

Filesize
120KB

Download
memory/1928-54-0x0000000000A10000-0x0000000000B78000-memory.dmp

Filesize
1.4MB

Download