masslogger | 32439b531876d0d85388dd99e7693bd5557266ac6b686ee18073272acba05109

Analysis

max time kernel
111s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kesh.exe
Size

1.3MB
MD5

aff458f89b918aca8c12c638ce8fece2
SHA1

24bddc3fee66de67a6db095ed22033af895e7b41
SHA256

3ce259abdca64cabc5ac51d1810ccff6a02fed247f4e65884d4fa4d23f18e086
SHA512

ae8c5e8afcfad1359566dee132b24dca1f8e40d3eadac9302075bb326b10ee7e1de25de3f37957dd7c665b2eb3687afd824b35003918b68e4c83fda7d69ada17

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2896-134-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-133-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-136-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-138-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-140-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-142-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-144-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-152-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-156-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-164-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-168-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-172-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-180-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-184-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-192-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-194-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-196-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-190-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-188-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-186-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-182-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-178-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-176-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-174-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-170-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-166-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-162-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-160-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-158-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-154-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-150-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-148-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger
behavioral2/memory/2896-146-0x0000000000C40000-0x0000000000CF2000-memory.dmp	family_masslogger

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksh.vbs notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

kesh.exe

description pid process target process

PID 1336 set thread context of 2896 1336 kesh.exe kesh.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

kesh.exepowershell.exe

pid process

1336 kesh.exe
1336 kesh.exe
1136 powershell.exe
1136 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

kesh.exe

pid process

1336 kesh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kesh.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2896 kesh.exe
Token: SeDebugPrivilege 1136 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksh.vbs	notepad.exe

description	pid	process	target process
PID 1336 set thread context of 2896	1336	kesh.exe	kesh.exe

pid	process
1336	kesh.exe
1336	kesh.exe
1136	powershell.exe
1136	powershell.exe

pid	process
1336	kesh.exe

description	pid	process
Token: SeDebugPrivilege	2896	kesh.exe
Token: SeDebugPrivilege	1136	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

kesh.exekesh.execmd.exe

description	pid	process	target process
PID 1336 wrote to memory of 3124	1336	kesh.exe	notepad.exe
PID 1336 wrote to memory of 3124	1336	kesh.exe	notepad.exe
PID 1336 wrote to memory of 3124	1336	kesh.exe	notepad.exe
PID 1336 wrote to memory of 3124	1336	kesh.exe	notepad.exe
PID 1336 wrote to memory of 3124	1336	kesh.exe	notepad.exe
PID 1336 wrote to memory of 2896	1336	kesh.exe	kesh.exe
PID 1336 wrote to memory of 2896	1336	kesh.exe	kesh.exe
PID 1336 wrote to memory of 2896	1336	kesh.exe	kesh.exe
PID 2896 wrote to memory of 4552	2896	kesh.exe	cmd.exe
PID 2896 wrote to memory of 4552	2896	kesh.exe	cmd.exe
PID 2896 wrote to memory of 4552	2896	kesh.exe	cmd.exe
PID 4552 wrote to memory of 1136	4552	cmd.exe	powershell.exe
PID 4552 wrote to memory of 1136	4552	cmd.exe	powershell.exe
PID 4552 wrote to memory of 1136	4552	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\kesh.exe
"C:\Users\Admin\AppData\Local\Temp\kesh.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
PID:3124

C:\Users\Admin\AppData\Local\Temp\kesh.exe
"C:\Users\Admin\AppData\Local\Temp\kesh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\kesh.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\kesh.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1136-654-0x0000000000000000-mapping.dmp

Download
memory/1136-655-0x00000000023C0000-0x00000000023F6000-memory.dmp

Filesize
216KB

Download
memory/1136-656-0x0000000004EB0000-0x00000000054D8000-memory.dmp

Filesize
6.2MB

Download
memory/1136-657-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/1136-662-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/1136-663-0x0000000007070000-0x0000000007092000-memory.dmp

Filesize
136KB

Download
memory/1136-660-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/1136-661-0x00000000063C0000-0x00000000063DA000-memory.dmp

Filesize
104KB

Download
memory/1136-659-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/1136-658-0x0000000004DB0000-0x0000000004E16000-memory.dmp

Filesize
408KB

Download
memory/1336-130-0x00000000022F0000-0x00000000022F9000-memory.dmp

Filesize
36KB

Download
memory/2896-188-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-170-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-152-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-156-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-164-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-168-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-172-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-180-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-184-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-192-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-194-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-196-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-190-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-142-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-186-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-182-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-178-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-176-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-174-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-144-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-166-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-162-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-160-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-158-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-154-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-150-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-148-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-146-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-649-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/2896-650-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/2896-140-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-138-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-136-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-132-0x0000000000000000-mapping.dmp

Download
memory/2896-133-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-134-0x0000000000C40000-0x0000000000CF2000-memory.dmp

Filesize
712KB

Download
memory/2896-651-0x0000000004E90000-0x0000000004EF6000-memory.dmp

Filesize
408KB

Download
memory/2896-652-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/3124-131-0x0000000000000000-mapping.dmp

Download
memory/4552-653-0x0000000000000000-mapping.dmp

Download