masslogger | 611f0ae1632337b1d0ee2d5297ddfe300cc510c46266417bedd7c343ced0b264

General

Target

pqI75Aqgj0J5fmF.exe
Size

994KB
MD5

72115f284ae26d36cc4e0427fc3be420
SHA1

086b2d81c7913aac1f10632f34623356bf8cb081
SHA256

21178d3dc240fc60a328a125280b58e073cd8cb677553cc867a62fcdceca210f
SHA512

c29cd1e96a2d70ac1677806068614378bd4add58cc29b06a83f2abea1bf8151f930016cc97ec116ea3ad3ca0ad0598f27bfcaa267ca0be29df2948b5eb794f63

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1880-138-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-141-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-143-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-145-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-147-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-149-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-151-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-153-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-155-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-157-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-159-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-161-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-163-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-165-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-167-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-169-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-171-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-173-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-175-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-177-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-179-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-181-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-183-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-185-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-187-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-189-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-191-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-193-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-195-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-197-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-199-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger
behavioral2/memory/1880-201-0x0000000000400000-0x00000000004B0000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pqI75Aqgj0J5fmF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	pqI75Aqgj0J5fmF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pqI75Aqgj0J5fmF.exe

description pid process target process

PID 4464 set thread context of 1880 4464 pqI75Aqgj0J5fmF.exe pqI75Aqgj0J5fmF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3804 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

pqI75Aqgj0J5fmF.exepowershell.exe

pid process

4464 pqI75Aqgj0J5fmF.exe
2692 powershell.exe
2692 powershell.exe

description	pid	process	target process
PID 4464 set thread context of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe

pid	process
3804	schtasks.exe

pid	process
4464	pqI75Aqgj0J5fmF.exe
2692	powershell.exe
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pqI75Aqgj0J5fmF.exepqI75Aqgj0J5fmF.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4464	pqI75Aqgj0J5fmF.exe
Token: SeDebugPrivilege	1880	pqI75Aqgj0J5fmF.exe
Token: SeDebugPrivilege	2692	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

pqI75Aqgj0J5fmF.exepqI75Aqgj0J5fmF.execmd.exe

description	pid	process	target process
PID 4464 wrote to memory of 3804	4464	pqI75Aqgj0J5fmF.exe	schtasks.exe
PID 4464 wrote to memory of 3804	4464	pqI75Aqgj0J5fmF.exe	schtasks.exe
PID 4464 wrote to memory of 3804	4464	pqI75Aqgj0J5fmF.exe	schtasks.exe
PID 4464 wrote to memory of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe
PID 4464 wrote to memory of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe
PID 4464 wrote to memory of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe
PID 4464 wrote to memory of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe
PID 4464 wrote to memory of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe
PID 4464 wrote to memory of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe
PID 4464 wrote to memory of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe
PID 4464 wrote to memory of 1880	4464	pqI75Aqgj0J5fmF.exe	pqI75Aqgj0J5fmF.exe
PID 1880 wrote to memory of 1476	1880	pqI75Aqgj0J5fmF.exe	cmd.exe
PID 1880 wrote to memory of 1476	1880	pqI75Aqgj0J5fmF.exe	cmd.exe
PID 1880 wrote to memory of 1476	1880	pqI75Aqgj0J5fmF.exe	cmd.exe
PID 1476 wrote to memory of 2692	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 2692	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 2692	1476	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe
"C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tzZSSBSPX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A9A.tmp"
2⤵
- Creates scheduled task(s)
PID:3804

C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\pqI75Aqgj0J5fmF.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pqI75Aqgj0J5fmF.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A9A.tmp
Filesize
1KB

MD5
e522379c3ae68cf2e1712cc284301295

SHA1
cebcdd20c8fd7fe0956102bda6b5386ea8657f46

SHA256
78915b3ee58cd590410b4ce107dae912147978bbc214dd30da87d0544684698f

SHA512
2f7737c7e503fe15b5615bef3dd1f679cbca9d9f48e73592269d18afd0907c04ea9e8edfc3a17763117e94c25e9977023bcca502cac4377948c0493143f7275d

Download Submit
memory/1476-649-0x0000000000000000-mapping.dmp

Download
memory/1880-183-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-145-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-185-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-143-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-187-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-147-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-149-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-151-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-153-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-155-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-157-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-159-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-161-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-163-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-165-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-189-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-169-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-171-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-173-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-175-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-177-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-179-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-181-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-138-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-141-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-137-0x0000000000000000-mapping.dmp

Download
memory/1880-167-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-191-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-193-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-195-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-197-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-199-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-201-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1880-648-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/2692-652-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/2692-659-0x0000000006840000-0x0000000006862000-memory.dmp

Filesize
136KB

Download
memory/2692-651-0x0000000002930000-0x0000000002966000-memory.dmp

Filesize
216KB

Download
memory/2692-657-0x0000000006770000-0x000000000678A000-memory.dmp

Filesize
104KB

Download
memory/2692-650-0x0000000000000000-mapping.dmp

Download
memory/2692-654-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/2692-656-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/2692-658-0x0000000007480000-0x0000000007516000-memory.dmp

Filesize
600KB

Download
memory/2692-653-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/2692-655-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/3804-135-0x0000000000000000-mapping.dmp

Download
memory/4464-130-0x0000000000890000-0x000000000098E000-memory.dmp

Filesize
1016KB

Download
memory/4464-131-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/4464-132-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/4464-133-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/4464-134-0x0000000007A90000-0x0000000007B2C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads