masslogger | c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543

General

Target

c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe
Size

824KB
MD5

8b7df26c62ae59859e08096fd12cf199
SHA1

5879a5399d91a57d2327584ccce8b8654e60b642
SHA256

c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543
SHA512

ddba02b074af7b559d78b6d9423fdd7a4247f8f66a2d624605293a5789534c78e4e8dac9cc7c814970d14c338d906de71ef5951453a2911a800a0ac42a28e10d

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3584-136-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	powershell.exe
1612	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90
PID 4760 wrote to memory of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90
PID 4760 wrote to memory of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90
PID 4760 wrote to memory of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90
PID 4760 wrote to memory of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90
PID 4760 wrote to memory of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90
PID 4760 wrote to memory of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90
PID 4760 wrote to memory of 3584	4760	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	90
PID 3584 wrote to memory of 1360	3584	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	91
PID 3584 wrote to memory of 1360	3584	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	91
PID 3584 wrote to memory of 1360	3584	c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe	91
PID 1360 wrote to memory of 1612	1360	cmd.exe	93
PID 1360 wrote to memory of 1612	1360	cmd.exe	93
PID 1360 wrote to memory of 1612	1360	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe
"C:\Users\Admin\AppData\Local\Temp\c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe
  "C:\Users\Admin\AppData\Local\Temp\c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c4ef4eccfd7797c2a7e0a26e237e9489e8ecdfa38d25e3d4d0b9f259470d8543.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1612-145-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/1612-146-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/1612-149-0x0000000006880000-0x00000000068A2000-memory.dmp

Filesize
136KB

Download
memory/1612-148-0x0000000007530000-0x00000000075C6000-memory.dmp

Filesize
600KB

Download
memory/1612-147-0x00000000067E0000-0x00000000067FA000-memory.dmp

Filesize
104KB

Download
memory/1612-141-0x0000000002980000-0x00000000029B6000-memory.dmp

Filesize
216KB

Download
memory/1612-142-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/1612-143-0x0000000005B40000-0x0000000005B62000-memory.dmp

Filesize
136KB

Download
memory/1612-144-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/3584-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3584-138-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/4760-132-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/4760-130-0x0000000000D90000-0x0000000000E64000-memory.dmp

Filesize
848KB

Download
memory/4760-131-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/4760-133-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/4760-134-0x0000000008F50000-0x0000000008FEC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing