masslogger | 0d98cc703438cff3cc32a2bd01032c9234cae7c6e4c375047d0260b5d0b5e783

General

Target

SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Size

1005KB
MD5

013106940b067393d0458736ed44b179
SHA1

6a461570410fbfbf9006ee0cc9be2d5f9c363b04
SHA256

0d98cc703438cff3cc32a2bd01032c9234cae7c6e4c375047d0260b5d0b5e783
SHA512

d14a9b0a5c965fe730a9ce45cf7b3ec801308dd3186ac5be1578c706312c6ad46e31a895244286a0f75dfaf39529a459c7ff0f83e3dc2c00257bae665ce68c51

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4680-138-0x0000000000400000-0x0000000000484000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
4680	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
4680	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
1720	powershell.exe
1720	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Token: SeDebugPrivilege	4680	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
Token: SeDebugPrivilege	1720	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 4804	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	91
PID 2964 wrote to memory of 4804	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	91
PID 2964 wrote to memory of 4804	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	91
PID 2964 wrote to memory of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92
PID 2964 wrote to memory of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92
PID 2964 wrote to memory of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92
PID 2964 wrote to memory of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92
PID 2964 wrote to memory of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92
PID 2964 wrote to memory of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92
PID 2964 wrote to memory of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92
PID 2964 wrote to memory of 4680	2964	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	92
PID 4680 wrote to memory of 1888	4680	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	93
PID 4680 wrote to memory of 1888	4680	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	93
PID 4680 wrote to memory of 1888	4680	SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe	93
PID 1888 wrote to memory of 1720	1888	cmd.exe	95
PID 1888 wrote to memory of 1720	1888	cmd.exe	95
PID 1888 wrote to memory of 1720	1888	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe"
  2⤵
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.GenericKD.50428043.31193.exe.log

Filesize
1KB

MD5
8323fae9fbc8238dfd3efdc87ac3534c

SHA1
d88623828a38d6b528963a32902c9f336a08942e

SHA256
1ccd81d339d51696fa8569e0ea179873452e8aa087b14a397538cda74996fe00

SHA512
9a50d78360761b85c2b49fd2959744c004a74600ffef5756391fec0f02c8aafc6061a028518808693297f03e9fc65067e3d4b29d876ed70eb8e2ad9094d246c3

Download Submit
memory/1720-150-0x0000000006E50000-0x0000000006E72000-memory.dmp

Filesize
136KB

Download
memory/1720-149-0x0000000007AE0000-0x0000000007B76000-memory.dmp

Filesize
600KB

Download
memory/1720-148-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/1720-147-0x0000000007EC0000-0x000000000853A000-memory.dmp

Filesize
6.5MB

Download
memory/1720-146-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/1720-145-0x00000000061C0000-0x0000000006226000-memory.dmp

Filesize
408KB

Download
memory/1720-144-0x00000000058C0000-0x00000000058E2000-memory.dmp

Filesize
136KB

Download
memory/1720-143-0x00000000059A0000-0x0000000005FC8000-memory.dmp

Filesize
6.2MB

Download
memory/1720-142-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/2964-130-0x0000000000650000-0x0000000000752000-memory.dmp

Filesize
1.0MB

Download
memory/2964-135-0x000000000ADB0000-0x000000000AE16000-memory.dmp

Filesize
408KB

Download
memory/2964-134-0x00000000096F0000-0x000000000978C000-memory.dmp

Filesize
624KB

Download
memory/2964-133-0x0000000007670000-0x000000000767A000-memory.dmp

Filesize
40KB

Download
memory/2964-132-0x00000000075D0000-0x0000000007662000-memory.dmp

Filesize
584KB

Download
memory/2964-131-0x0000000007AE0000-0x0000000008084000-memory.dmp

Filesize
5.6MB

Download
memory/4680-138-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing