masslogger | 0d98cc703438cff3cc32a2bd01032c9234cae7c6e4c375047d0260b5d0b5e783

General

Target

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Size

1005KB
MD5

013106940b067393d0458736ed44b179
SHA1

6a461570410fbfbf9006ee0cc9be2d5f9c363b04
SHA256

0d98cc703438cff3cc32a2bd01032c9234cae7c6e4c375047d0260b5d0b5e783
SHA512

d14a9b0a5c965fe730a9ce45cf7b3ec801308dd3186ac5be1578c706312c6ad46e31a895244286a0f75dfaf39529a459c7ff0f83e3dc2c00257bae665ce68c51

Score

10^/10

masslogger collection spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/668-63-0x0000000000400000-0x0000000000484000-memory.dmp	family_masslogger
behavioral1/memory/668-64-0x0000000000400000-0x0000000000484000-memory.dmp	family_masslogger
behavioral1/memory/668-65-0x0000000000400000-0x0000000000484000-memory.dmp	family_masslogger
behavioral1/memory/668-66-0x000000000047E1AE-mapping.dmp	family_masslogger
behavioral1/memory/668-68-0x0000000000400000-0x0000000000484000-memory.dmp	family_masslogger
behavioral1/memory/668-70-0x0000000000400000-0x0000000000484000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs

collection

Email Collection

T1114

Processes:

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org

flow	ioc
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

description	pid	process	target process
PID 1276 set thread context of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

pid	process
668	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
668	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
668	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

description pid process

Token: SeDebugPrivilege 668 SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

description	pid	process
Token: SeDebugPrivilege	668	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

description	pid	process	target process
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
PID 1276 wrote to memory of 668	1276	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

outlook_office_path 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

outlook_win_path 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe"
2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/668-60-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/668-73-0x0000000000635000-0x0000000000646000-memory.dmp

Filesize
68KB

Download
memory/668-72-0x0000000000635000-0x0000000000646000-memory.dmp

Filesize
68KB

Download
memory/668-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/668-70-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/668-66-0x000000000047E1AE-mapping.dmp

Download
memory/668-61-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/668-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/668-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1276-58-0x00000000012C0000-0x00000000012C6000-memory.dmp

Filesize
24KB

Download
memory/1276-55-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/1276-54-0x00000000012F0000-0x00000000013F2000-memory.dmp

Filesize
1.0MB

Download
memory/1276-59-0x0000000007300000-0x0000000007384000-memory.dmp

Filesize
528KB

Download
memory/1276-57-0x000000000A2F0000-0x000000000A3CE000-memory.dmp

Filesize
888KB

Download
memory/1276-56-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads