masslogger | ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56

General

Target

ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe
Size

926KB
MD5

12094cb754508166c0827e574092eb81
SHA1

2e1a052471e9d2b50dce06908dae7875ca4716b5
SHA256

ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56
SHA512

e3dc9b82ef9c854f13b3a1c9cd8265773a46ea9e723780d018f9a20c3dc8751f7cb541b41ae0761110d3a23486aeca919257c8d64511b131e4baab844225b193

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5024-135-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3124 set thread context of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe
3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe
3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe
4348	powershell.exe
4348	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe
Token: SeDebugPrivilege	4348	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87
PID 3124 wrote to memory of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87
PID 3124 wrote to memory of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87
PID 3124 wrote to memory of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87
PID 3124 wrote to memory of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87
PID 3124 wrote to memory of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87
PID 3124 wrote to memory of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87
PID 3124 wrote to memory of 5024	3124	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	87
PID 5024 wrote to memory of 216	5024	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	88
PID 5024 wrote to memory of 216	5024	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	88
PID 5024 wrote to memory of 216	5024	ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe	88
PID 216 wrote to memory of 4348	216	cmd.exe	90
PID 216 wrote to memory of 4348	216	cmd.exe	90
PID 216 wrote to memory of 4348	216	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe
"C:\Users\Admin\AppData\Local\Temp\ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ea1c723ceedac998a362db9d383f81e90cd4821ae42749547036247add752a56.exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
memory/3124-131-0x000000000AD30000-0x000000000B2D4000-memory.dmp

Filesize
5.6MB

Download
memory/3124-132-0x000000000A820000-0x000000000A8B2000-memory.dmp

Filesize
584KB

Download
memory/3124-133-0x000000000A8C0000-0x000000000A95C000-memory.dmp

Filesize
624KB

Download
memory/3124-130-0x0000000000310000-0x0000000000402000-memory.dmp

Filesize
968KB

Download
memory/4348-142-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/4348-140-0x0000000002A50000-0x0000000002A86000-memory.dmp

Filesize
216KB

Download
memory/4348-141-0x00000000054F0000-0x0000000005B18000-memory.dmp

Filesize
6.2MB

Download
memory/4348-143-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/4348-144-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/4348-145-0x00000000079D0000-0x000000000804A000-memory.dmp

Filesize
6.5MB

Download
memory/4348-146-0x0000000006870000-0x000000000688A000-memory.dmp

Filesize
104KB

Download
memory/4348-147-0x00000000073F0000-0x0000000007486000-memory.dmp

Filesize
600KB

Download
memory/4348-148-0x0000000007350000-0x0000000007372000-memory.dmp

Filesize
136KB

Download
memory/5024-137-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/5024-135-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing