masslogger | 10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909

General

Target

10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
Size

1.1MB
MD5

ef826a08ca7e802e0a5a5c61b58b2a80
SHA1

467f33a80dd20e33c0f89ebd69d265cbe109556d
SHA256

10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909
SHA512

cd51bec962ba2aa24ea5747111b9bf292591009cef084facaf56278ab338964b3149a2e6f9d4c2e17ceba15c2095d6af0081c7175ea841a661ca3fe9ef1c3dac

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 4 IoCs

resource	yara_rule
behavioral2/memory/3008-133-0x0000000000B80000-0x0000000000C06000-memory.dmp	family_masslogger
behavioral2/memory/3008-134-0x0000000000B80000-0x0000000000C06000-memory.dmp	family_masslogger
behavioral2/memory/3008-135-0x0000000000400000-0x000000000051E000-memory.dmp	family_masslogger
behavioral2/memory/3008-140-0x0000000000400000-0x000000000051E000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 3008	2688	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe	81

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2688	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
2688	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
3008	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
3008	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
3488	powershell.exe
3488	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2688	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
Token: SeDebugPrivilege	3488	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 3008	2688	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe	81
PID 2688 wrote to memory of 3008	2688	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe	81
PID 2688 wrote to memory of 3008	2688	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe	81
PID 3008 wrote to memory of 3488	3008	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe	85
PID 3008 wrote to memory of 3488	3008	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe	85
PID 3008 wrote to memory of 3488	3008	10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe	85

C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
"C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
  "C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2688-131-0x0000000003DF0000-0x0000000003E00000-memory.dmp

Filesize
64KB

Download
memory/3008-140-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3008-133-0x0000000000B80000-0x0000000000C06000-memory.dmp

Filesize
536KB

Download
memory/3008-134-0x0000000000B80000-0x0000000000C06000-memory.dmp

Filesize
536KB

Download
memory/3008-135-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3008-136-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/3008-137-0x00000000050F0000-0x0000000005694000-memory.dmp

Filesize
5.6MB

Download
memory/3008-138-0x0000000004DB0000-0x0000000004E16000-memory.dmp

Filesize
408KB

Download
memory/3488-141-0x0000000005170000-0x00000000051A6000-memory.dmp

Filesize
216KB

Download
memory/3488-142-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/3488-143-0x0000000005EF0000-0x0000000005F12000-memory.dmp

Filesize
136KB

Download
memory/3488-144-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/3488-145-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/3488-146-0x0000000007E10000-0x000000000848A000-memory.dmp

Filesize
6.5MB

Download
memory/3488-147-0x0000000006C90000-0x0000000006CAA000-memory.dmp

Filesize
104KB

Download
memory/3488-148-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/3488-149-0x0000000006D40000-0x0000000006D62000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing