masslogger | c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa

General

Target

c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe
Size

979KB
MD5

58ad0f5eafa1560d04e4431605757dc9
SHA1

1db34eb943c75aa701925e7f93d414645ba22ab8
SHA256

c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa
SHA512

d85acd35c2cbd5321175b2dbe0a250808d71096f9f5a4236b9e85625f232213218e0f9582c78a3a09ded9f3f7f83e6ac179c030d9a496b59c40e24c547aa0e2a

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2900-136-0x0000000000400000-0x00000000004C4000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3484 set thread context of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe
3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe
3904	powershell.exe
3904	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe
Token: SeDebugPrivilege	3904	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 3408	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	80
PID 3484 wrote to memory of 3408	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	80
PID 3484 wrote to memory of 3408	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	80
PID 3484 wrote to memory of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81
PID 3484 wrote to memory of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81
PID 3484 wrote to memory of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81
PID 3484 wrote to memory of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81
PID 3484 wrote to memory of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81
PID 3484 wrote to memory of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81
PID 3484 wrote to memory of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81
PID 3484 wrote to memory of 2900	3484	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	81
PID 2900 wrote to memory of 3740	2900	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	88
PID 2900 wrote to memory of 3740	2900	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	88
PID 2900 wrote to memory of 3740	2900	c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe	88
PID 3740 wrote to memory of 3904	3740	cmd.exe	86
PID 3740 wrote to memory of 3904	3740	cmd.exe	86
PID 3740 wrote to memory of 3904	3740	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe
"C:\Users\Admin\AppData\Local\Temp\c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe
  "{path}"
  2⤵
  PID:3408
- C:\Users\Admin\AppData\Local\Temp\c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c956af5784b710cb77e24120cd238f87cba12c07604ebd98daad9fe379cfcbaa.exe.log

Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
memory/2900-136-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2900-138-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/3484-130-0x0000000000A00000-0x0000000000AFA000-memory.dmp

Filesize
1000KB

Download
memory/3484-131-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/3484-132-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/3484-133-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/3904-141-0x0000000002610000-0x0000000002646000-memory.dmp

Filesize
216KB

Download
memory/3904-142-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/3904-144-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/3904-143-0x0000000005050000-0x0000000005072000-memory.dmp

Filesize
136KB

Download
memory/3904-145-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/3904-147-0x00000000064B0000-0x00000000064CA000-memory.dmp

Filesize
104KB

Download
memory/3904-146-0x00000000078A0000-0x0000000007F1A000-memory.dmp

Filesize
6.5MB

Download
memory/3904-149-0x0000000006580000-0x00000000065A2000-memory.dmp

Filesize
136KB

Download
memory/3904-148-0x0000000007220000-0x00000000072B6000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing