masslogger | fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
Size

1.3MB
MD5

e100dae48ea9573f3c6c1eae79f69c67
SHA1

5a5ea06984790ce00f152a3ccc6e2dcb7c6b6f08
SHA256

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783
SHA512

1a9295b144b8403cd2c2366d681267752057275cf447cc9902b5765dbf6cf5eb5ef0fbcd2cea33478205333314a43c30093bb7baefed64bba0b2754185613291

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 33 IoCs

resource	yara_rule
behavioral2/memory/2052-133-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-132-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-135-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-137-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-139-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-141-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-143-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-145-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-147-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-149-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-151-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-153-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-155-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-157-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-159-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-161-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-163-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-165-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-167-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-169-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-171-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-173-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-175-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-177-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-179-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-181-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-183-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-185-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-187-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-189-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-191-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-193-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-195-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 2052	3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	81

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
4580	powershell.exe
4580	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
Token: SeDebugPrivilege	4580	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2052	3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	81
PID 3048 wrote to memory of 2052	3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	81
PID 3048 wrote to memory of 2052	3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	81
PID 2052 wrote to memory of 220	2052	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	87
PID 2052 wrote to memory of 220	2052	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	87
PID 2052 wrote to memory of 220	2052	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	87
PID 220 wrote to memory of 4580	220	cmd.exe	90
PID 220 wrote to memory of 4580	220	cmd.exe	90
PID 220 wrote to memory of 4580	220	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
"C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
  "C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-133-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-132-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-135-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-137-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-139-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-141-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-143-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-145-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-147-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-149-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-151-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-153-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-155-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-157-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-159-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-161-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-163-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-165-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-167-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-169-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-171-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-173-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-175-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-177-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-179-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-181-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-183-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-185-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-187-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-189-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-191-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-193-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-195-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-640-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/2052-641-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/2052-642-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/2052-643-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/3048-131-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/4580-646-0x0000000002B00000-0x0000000002B36000-memory.dmp

Filesize
216KB

Download
memory/4580-647-0x0000000005660000-0x0000000005C88000-memory.dmp

Filesize
6.2MB

Download
memory/4580-648-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/4580-649-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4580-650-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/4580-651-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/4580-652-0x00000000068A0000-0x00000000068BA000-memory.dmp

Filesize
104KB

Download
memory/4580-653-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/4580-654-0x00000000069F0000-0x0000000006A12000-memory.dmp

Filesize
136KB

Download