masslogger | fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783

General

Target

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
Size

1.3MB
MD5

e100dae48ea9573f3c6c1eae79f69c67
SHA1

5a5ea06984790ce00f152a3ccc6e2dcb7c6b6f08
SHA256

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783
SHA512

1a9295b144b8403cd2c2366d681267752057275cf447cc9902b5765dbf6cf5eb5ef0fbcd2cea33478205333314a43c30093bb7baefed64bba0b2754185613291

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2052-133-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-132-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-135-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-137-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-139-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-141-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-143-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-145-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-147-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-149-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-151-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-153-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-155-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-157-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-159-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-161-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-163-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-165-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-167-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-169-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-171-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-173-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-175-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-177-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-179-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-181-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-183-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-185-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-187-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-189-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-191-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-193-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger
behavioral2/memory/2052-195-0x0000000000BC0000-0x0000000000C70000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe

description	pid	process	target process
PID 3048 set thread context of 2052	3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exepowershell.exe

pid	process
3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
4580	powershell.exe
4580	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe

pid process

3048 fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2052	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
Token: SeDebugPrivilege	4580	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exefda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 2052	3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
PID 3048 wrote to memory of 2052	3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
PID 3048 wrote to memory of 2052	3048	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
PID 2052 wrote to memory of 220	2052	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	cmd.exe
PID 2052 wrote to memory of 220	2052	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	cmd.exe
PID 2052 wrote to memory of 220	2052	fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe	cmd.exe
PID 220 wrote to memory of 4580	220	cmd.exe	powershell.exe
PID 220 wrote to memory of 4580	220	cmd.exe	powershell.exe
PID 220 wrote to memory of 4580	220	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
"C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe
"C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\fda81f263ab7e2516caf64983c7847ae4836cc3758b0332923fa222b47b93783.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/220-644-0x0000000000000000-mapping.dmp

Download
memory/2052-130-0x0000000000000000-mapping.dmp

Download
memory/2052-133-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-132-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-135-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-137-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-139-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-141-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-143-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-145-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-147-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-149-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-151-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-153-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-155-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-157-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-159-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-161-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-163-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-165-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-167-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-169-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-171-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-173-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-175-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-177-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-179-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-181-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-183-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-185-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-187-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-189-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-191-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-193-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-195-0x0000000000BC0000-0x0000000000C70000-memory.dmp

Filesize
704KB

Download
memory/2052-640-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/2052-641-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/2052-642-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/2052-643-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/3048-131-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/4580-645-0x0000000000000000-mapping.dmp

Download
memory/4580-646-0x0000000002B00000-0x0000000002B36000-memory.dmp

Filesize
216KB

Download
memory/4580-647-0x0000000005660000-0x0000000005C88000-memory.dmp

Filesize
6.2MB

Download
memory/4580-648-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/4580-649-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4580-650-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/4580-651-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/4580-652-0x00000000068A0000-0x00000000068BA000-memory.dmp

Filesize
104KB

Download
memory/4580-653-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/4580-654-0x00000000069F0000-0x0000000006A12000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads