masslogger | ade8bfcf1415da45b6137e1e3f610caf22d333cc70d4eb52d7e22131d212461b

General

Target

DEBIT NOTE - SAOFEM20050027pdf.exe
Size

962KB
MD5

ad18e53571ae5be2cc2bd0fafd484da2
SHA1

bf175030caf9f23129a63262d9aa345dab620a12
SHA256

92a7c4b4694b3849c97651e3c5713eedbf3e9a5f157724d6ca9047b05ed0e3d9
SHA512

c1b66d8088c5000d72b3a138493321d1224e14133c3e3f425823b27716fec86012dde25c3037c373c87d5c321c04b57ee4acf6dc588134664bbfb54c5eac9aaa
SSDEEP

24576:TQe6H3aJa0ir1T/tphJqlibPiEj3z1dHK1Wi:E7H3aaxT/Tqlib7z3q1l

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 1 IoCs

resource	yara_rule
behavioral2/memory/1376-141-0x0000000000400000-0x00000000004A8000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DEBIT NOTE - SAOFEM20050027pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2536	DEBIT NOTE - SAOFEM20050027pdf.exe
2536	DEBIT NOTE - SAOFEM20050027pdf.exe
2536	DEBIT NOTE - SAOFEM20050027pdf.exe
2536	DEBIT NOTE - SAOFEM20050027pdf.exe
3840	powershell.exe
3840	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	DEBIT NOTE - SAOFEM20050027pdf.exe
Token: SeDebugPrivilege	3840	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 4912	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	82
PID 2536 wrote to memory of 4912	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	82
PID 2536 wrote to memory of 4912	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	82
PID 2536 wrote to memory of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84
PID 2536 wrote to memory of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84
PID 2536 wrote to memory of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84
PID 2536 wrote to memory of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84
PID 2536 wrote to memory of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84
PID 2536 wrote to memory of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84
PID 2536 wrote to memory of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84
PID 2536 wrote to memory of 1376	2536	DEBIT NOTE - SAOFEM20050027pdf.exe	84
PID 1376 wrote to memory of 5080	1376	DEBIT NOTE - SAOFEM20050027pdf.exe	85
PID 1376 wrote to memory of 5080	1376	DEBIT NOTE - SAOFEM20050027pdf.exe	85
PID 1376 wrote to memory of 5080	1376	DEBIT NOTE - SAOFEM20050027pdf.exe	85
PID 5080 wrote to memory of 3840	5080	cmd.exe	87
PID 5080 wrote to memory of 3840	5080	cmd.exe	87
PID 5080 wrote to memory of 3840	5080	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\DEBIT NOTE - SAOFEM20050027pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DEBIT NOTE - SAOFEM20050027pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA44E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4912
- C:\Users\Admin\AppData\Local\Temp\DEBIT NOTE - SAOFEM20050027pdf.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\DEBIT NOTE - SAOFEM20050027pdf.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\DEBIT NOTE - SAOFEM20050027pdf.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DEBIT NOTE - SAOFEM20050027pdf.exe.log

Filesize
611B

MD5
e09032fb626c6c1d10e2ab27b0278463

SHA1
a26ea328ef81ab53a9883f7b9c7d3998883eaf47

SHA256
1b834fc0faded24ae9665629c739742a2614784d62f96f9f982a6c678e916147

SHA512
2c341b371103d67fb0bd1e49a4a07b3037e3a304b914446c103de43f87370d584e666f0b93e2c28c776188e975cd95855bb3a1bc4ddbcac89acd62ec46cb5e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA44E.tmp

Filesize
1KB

MD5
9ddde78b770b6f737a42b9e5408e8007

SHA1
8cd9a482d6a1a67eb5dd4d7e164d028b31350bdd

SHA256
5f18696a89dd29bfa0e7c285df713970653a25c83891fa8fb43e750ac4782a62

SHA512
c57e76ef86f82c23e71465de8599a9f19ae15b16bafc16b418a3e87f4d3d70c23dfc7ea50840fc3ac18554d59d9aed982f55b01f9e9f86f2a2a2ec2083297c1b

Download Submit
memory/1376-141-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1376-142-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/1376-143-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/2536-136-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/2536-137-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/2536-135-0x0000000000650000-0x0000000000746000-memory.dmp

Filesize
984KB

Download
memory/3840-150-0x0000000004F00000-0x0000000004F66000-memory.dmp

Filesize
408KB

Download
memory/3840-147-0x00000000023C0000-0x00000000023F6000-memory.dmp

Filesize
216KB

Download
memory/3840-148-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/3840-149-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/3840-151-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/3840-152-0x0000000007360000-0x00000000079DA000-memory.dmp

Filesize
6.5MB

Download
memory/3840-153-0x00000000061A0000-0x00000000061BA000-memory.dmp

Filesize
104KB

Download
memory/3840-154-0x0000000006D80000-0x0000000006E16000-memory.dmp

Filesize
600KB

Download
memory/3840-155-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads