Analysis
-
max time kernel
62s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 15:44
Behavioral task
behavioral1
Sample
masslogger.bin.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
masslogger.bin.exe
Resource
win10v2004-20221111-en
General
-
Target
masslogger.bin.exe
-
Size
499KB
-
MD5
3c05e9000f006c7f1549153e7b54e74c
-
SHA1
b6ca7834020470508a9c205d57621d2a2d025d02
-
SHA256
7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc
-
SHA512
49aec1bf566ca03b38579afd1ea2aa8bed5e78215c83392428b7f36b01117196005e05852af5f862b02228fb9791ed20b0a3493f8cc43109d8d14d11a058adb1
-
SSDEEP
6144:MtUXsvIucbyO6+trL99ZgLIRbgvbeXKWfcUTNKMDMAlcn38OxKl9x7qs9Pxcm0AE:MSe1uX3ukCvoBCMDMVqfBdcmDB
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4808-132-0x00000000007F0000-0x0000000000874000-memory.dmp family_masslogger -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
masslogger.bin.exepowershell.exepid process 4808 masslogger.bin.exe 4808 masslogger.bin.exe 3556 powershell.exe 3556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
masslogger.bin.exepowershell.exedescription pid process Token: SeDebugPrivilege 4808 masslogger.bin.exe Token: SeDebugPrivilege 3556 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
masslogger.bin.execmd.exedescription pid process target process PID 4808 wrote to memory of 3520 4808 masslogger.bin.exe cmd.exe PID 4808 wrote to memory of 3520 4808 masslogger.bin.exe cmd.exe PID 4808 wrote to memory of 3520 4808 masslogger.bin.exe cmd.exe PID 3520 wrote to memory of 3556 3520 cmd.exe powershell.exe PID 3520 wrote to memory of 3556 3520 cmd.exe powershell.exe PID 3520 wrote to memory of 3556 3520 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\masslogger.bin.exe"C:\Users\Admin\AppData\Local\Temp\masslogger.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\masslogger.bin.exe' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\masslogger.bin.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3520-136-0x0000000000000000-mapping.dmp
-
memory/3556-141-0x0000000005CE0000-0x0000000005D46000-memory.dmpFilesize
408KB
-
memory/3556-140-0x00000000054B0000-0x00000000054D2000-memory.dmpFilesize
136KB
-
memory/3556-146-0x0000000007330000-0x0000000007352000-memory.dmpFilesize
136KB
-
memory/3556-145-0x00000000073D0000-0x0000000007466000-memory.dmpFilesize
600KB
-
memory/3556-137-0x0000000000000000-mapping.dmp
-
memory/3556-138-0x0000000002A80000-0x0000000002AB6000-memory.dmpFilesize
216KB
-
memory/3556-139-0x00000000056B0000-0x0000000005CD8000-memory.dmpFilesize
6.2MB
-
memory/3556-144-0x0000000006820000-0x000000000683A000-memory.dmpFilesize
104KB
-
memory/3556-143-0x00000000079B0000-0x000000000802A000-memory.dmpFilesize
6.5MB
-
memory/3556-142-0x0000000006380000-0x000000000639E000-memory.dmpFilesize
120KB
-
memory/4808-132-0x00000000007F0000-0x0000000000874000-memory.dmpFilesize
528KB
-
memory/4808-134-0x0000000005D30000-0x00000000062D4000-memory.dmpFilesize
5.6MB
-
memory/4808-133-0x00000000056E0000-0x0000000005772000-memory.dmpFilesize
584KB
-
memory/4808-135-0x0000000005780000-0x00000000057E6000-memory.dmpFilesize
408KB