masslogger | 8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

General

Target

8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe
Size

1.6MB
MD5

701689a69877d6fd71e7872be77bcab6
SHA1

dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c
SHA256

8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b
SHA512

5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

Score

10^/10

masslogger agilenet persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 5 IoCs

resource	yara_rule
behavioral1/memory/784-54-0x0000000001200000-0x00000000013AA000-memory.dmp	family_masslogger
behavioral1/files/0x0007000000005c51-66.dat	family_masslogger
behavioral1/files/0x0007000000005c51-67.dat	family_masslogger
behavioral1/files/0x0007000000005c51-69.dat	family_masslogger
behavioral1/memory/1780-70-0x0000000000A10000-0x0000000000BBA000-memory.dmp	family_masslogger

Executes dropped EXE 1 IoCs

pid	Process
1780	VideoLanApps.exe

Loads dropped DLL 1 IoCs

pid	Process
1652	powershell.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/784-55-0x00000000002E0000-0x00000000002F6000-memory.dmp	agile_net
behavioral1/memory/1780-71-0x00000000001E0000-0x00000000001F6000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\VideoLanApps = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\VideoLanApps.exe"	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe
784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe
1652	powershell.exe
1652	powershell.exe
1780	VideoLanApps.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1780	VideoLanApps.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 1908	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe	27
PID 784 wrote to memory of 1908	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe	27
PID 784 wrote to memory of 1908	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe	27
PID 784 wrote to memory of 1908	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe	27
PID 1908 wrote to memory of 1952	1908	cmd.exe	29
PID 1908 wrote to memory of 1952	1908	cmd.exe	29
PID 1908 wrote to memory of 1952	1908	cmd.exe	29
PID 1908 wrote to memory of 1952	1908	cmd.exe	29
PID 784 wrote to memory of 1652	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe	30
PID 784 wrote to memory of 1652	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe	30
PID 784 wrote to memory of 1652	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe	30
PID 784 wrote to memory of 1652	784	8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe	30
PID 1652 wrote to memory of 1780	1652	powershell.exe	32
PID 1652 wrote to memory of 1780	1652	powershell.exe	32
PID 1652 wrote to memory of 1780	1652	powershell.exe	32
PID 1652 wrote to memory of 1780	1652	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe
"C:\Users\Admin\AppData\Local\Temp\8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v VideoLanApps /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v VideoLanApps /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe"
    3⤵
    - Adds Run key to start application
    PID:1952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe

Filesize
1.6MB

MD5
701689a69877d6fd71e7872be77bcab6

SHA1
dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c

SHA256
8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

SHA512
5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe

Filesize
1.6MB

MD5
701689a69877d6fd71e7872be77bcab6

SHA1
dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c

SHA256
8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

SHA512
5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VideoLanApps.exe

Filesize
1.6MB

MD5
701689a69877d6fd71e7872be77bcab6

SHA1
dd2cfff32e2de1d6ce99e0ea5814c6ca905b507c

SHA256
8ecc3131ea3673261bb619defd0dca00a3ed11b5bf5759287d5e94580a43e28b

SHA512
5cd5ce167184bf375eace9f3f9d3983e255769a5809ed14994f13eecf37f5f88ba0f5b36be63dc2d25ad358b0f0a9ccf3e2b8c8b56b6dd8c0e6324c2e204727c

Download Submit
memory/784-58-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/784-54-0x0000000001200000-0x00000000013AA000-memory.dmp

Filesize
1.7MB

Download
memory/784-55-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/784-56-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/784-61-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/784-57-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/1652-65-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-64-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-72-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-70-0x0000000000A10000-0x0000000000BBA000-memory.dmp

Filesize
1.7MB

Download
memory/1780-71-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing