masslogger | a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf

General

Target

a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe
Size

819KB
MD5

0f2e4a2aefff2c984d82f29ce834669f
SHA1

fbe05d756e7040b385adb24e22267da7038845b5
SHA256

a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf
SHA512

56430acc54b1d79b153e1ada48b2b19bf3e51f6dea5aee201bfa7332604f9a784fee2bdb592e0ad0fc4a91d2d155a4c41bea9b5b70bf7bc0687862b70fb7bb85

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 1 IoCs

resource	yara_rule
behavioral2/memory/396-136-0x0000000000400000-0x0000000000484000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
396	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe
396	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe
3788	powershell.exe
3788	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe
Token: SeDebugPrivilege	3788	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91
PID 2676 wrote to memory of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91
PID 2676 wrote to memory of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91
PID 2676 wrote to memory of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91
PID 2676 wrote to memory of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91
PID 2676 wrote to memory of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91
PID 2676 wrote to memory of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91
PID 2676 wrote to memory of 396	2676	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	91
PID 396 wrote to memory of 2252	396	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	92
PID 396 wrote to memory of 2252	396	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	92
PID 396 wrote to memory of 2252	396	a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe	92
PID 2252 wrote to memory of 3788	2252	cmd.exe	94
PID 2252 wrote to memory of 3788	2252	cmd.exe	94
PID 2252 wrote to memory of 3788	2252	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe
"C:\Users\Admin\AppData\Local\Temp\a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe
  "C:\Users\Admin\AppData\Local\Temp\a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a2b4d46606b331bdc9da63107c6271a59c60e7ea78922be4eeaccccbe3bde0bf.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/396-136-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/396-137-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/2676-130-0x0000000000960000-0x0000000000A34000-memory.dmp

Filesize
848KB

Download
memory/2676-131-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/2676-132-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/2676-133-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/2676-134-0x0000000007D00000-0x0000000007D9C000-memory.dmp

Filesize
624KB

Download
memory/3788-141-0x0000000004960000-0x0000000004996000-memory.dmp

Filesize
216KB

Download
memory/3788-142-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/3788-143-0x0000000004F70000-0x0000000004F92000-memory.dmp

Filesize
136KB

Download
memory/3788-144-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/3788-145-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/3788-146-0x0000000007600000-0x0000000007C7A000-memory.dmp

Filesize
6.5MB

Download
memory/3788-147-0x0000000006430000-0x000000000644A000-memory.dmp

Filesize
104KB

Download
memory/3788-148-0x0000000006F80000-0x0000000007016000-memory.dmp

Filesize
600KB

Download
memory/3788-149-0x00000000064E0000-0x0000000006502000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing