masslogger | 55247605abdc8ef6f7ad3bb5eed601a6b5da5205785ac51a9407f0d1dcde9b6d

Analysis

max time kernel
103s
max time network
49s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 16:54

Target

LIST OF PRODUCTS NEEDED.exe
Size

1.1MB
MD5

af517807c4b6160d07314ba228f333de
SHA1

9020081ebc00595e57d5d40a742682f4de0b7671
SHA256

e97151ce51e9463bd45ad41571141614fc0ffc8a8cbf2c74f36c20028a769f41
SHA512

8647a9336ff7e33b60c7f9903d9214de5842bc195f4460870f9dda8205397ef9aaddf0a371ceb90b280e9b26017e53e0c10422844ce0f30fda14b7dccc310b00

Score

10^/10

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1744-60-0x0000000000400000-0x000000000048C000-memory.dmp	family_masslogger
behavioral1/memory/1744-62-0x0000000000400000-0x000000000048C000-memory.dmp	family_masslogger
behavioral1/memory/1744-61-0x0000000000400000-0x000000000048C000-memory.dmp	family_masslogger
behavioral1/memory/1744-63-0x00000000004872DE-mapping.dmp	family_masslogger
behavioral1/memory/1744-65-0x0000000000400000-0x000000000048C000-memory.dmp	family_masslogger
behavioral1/memory/1744-67-0x0000000000400000-0x000000000048C000-memory.dmp	family_masslogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

LIST OF PRODUCTS NEEDED.exe

description pid process target process

PID 1656 set thread context of 1744 1656 LIST OF PRODUCTS NEEDED.exe RegSvcs.exe

description	pid	process	target process
PID 1656 set thread context of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

LIST OF PRODUCTS NEEDED.exeRegSvcs.exe

description	pid	process	target process
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1656 wrote to memory of 1744	1656	LIST OF PRODUCTS NEEDED.exe	RegSvcs.exe
PID 1744 wrote to memory of 2036	1744	RegSvcs.exe	dw20.exe
PID 1744 wrote to memory of 2036	1744	RegSvcs.exe	dw20.exe
PID 1744 wrote to memory of 2036	1744	RegSvcs.exe	dw20.exe
PID 1744 wrote to memory of 2036	1744	RegSvcs.exe	dw20.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 372
3⤵
PID:2036

memory/1656-54-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download
memory/1656-55-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-56-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-70-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-62-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-60-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-58-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-61-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-63-0x00000000004872DE-mapping.dmp

Download
memory/1744-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-67-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-57-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1744-72-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-73-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-69-0x0000000000000000-mapping.dmp

Download