masslogger | f0e3d1d1dd4b0b69a99c24ce4217194e9cbbb4f1efd8edcb8831f6e889c9b5cd

Resubmissions

28-01-2023 20:16

230128-y18sjagb93 10

15-12-2022 12:15

221215-pexcyafc8w 10

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2022 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

img014012022.exe
Size

667KB
MD5

0d8c9a1bf7c59fc5623bc97992c84d68
SHA1

f83fd12fc4ba8c891f01f93e4dbec5dd7106cbc3
SHA256

f0e3d1d1dd4b0b69a99c24ce4217194e9cbbb4f1efd8edcb8831f6e889c9b5cd
SHA512

776d9e66da6c499d54b760f930b7c080be33daabff33e4b9670701f21373f307af602e124ce414b3b354277c5604ae7811105dd9a8d2d8f03571e467947a3d2d
SSDEEP

12288:aRW65WWrYINieIUYXPFvWYGegce9pZIdTPxM6uMdmLN4NQ/h1aikvhmF:mW65WWrYIUeIUYXP9WYGegceQN766NKL

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 2 IoCs

resource	yara_rule
behavioral2/memory/4240-139-0x0000000000400000-0x0000000000494000-memory.dmp	family_masslogger
behavioral2/memory/4240-144-0x0000000000400000-0x0000000000494000-memory.dmp	family_masslogger

Executes dropped EXE 2 IoCs

pid	Process
1096	jjimhzdgo.exe
4240	jjimhzdgo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 4240	1096	jjimhzdgo.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4240	jjimhzdgo.exe
4240	jjimhzdgo.exe
3432	powershell.exe
3432	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1096	jjimhzdgo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	jjimhzdgo.exe
Token: SeDebugPrivilege	3432	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1096	432	img014012022.exe	79
PID 432 wrote to memory of 1096	432	img014012022.exe	79
PID 432 wrote to memory of 1096	432	img014012022.exe	79
PID 1096 wrote to memory of 4240	1096	jjimhzdgo.exe	80
PID 1096 wrote to memory of 4240	1096	jjimhzdgo.exe	80
PID 1096 wrote to memory of 4240	1096	jjimhzdgo.exe	80
PID 1096 wrote to memory of 4240	1096	jjimhzdgo.exe	80
PID 4240 wrote to memory of 2456	4240	jjimhzdgo.exe	84
PID 4240 wrote to memory of 2456	4240	jjimhzdgo.exe	84
PID 4240 wrote to memory of 2456	4240	jjimhzdgo.exe	84
PID 2456 wrote to memory of 3432	2456	cmd.exe	86
PID 2456 wrote to memory of 3432	2456	cmd.exe	86
PID 2456 wrote to memory of 3432	2456	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\img014012022.exe
"C:\Users\Admin\AppData\Local\Temp\img014012022.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
  "C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe" C:\Users\Admin\AppData\Local\Temp\gjoxrlrsi.k
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe
    "C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\djgcoe.ef

Filesize
577KB

MD5
ec34e86bfd01061019a84fe7c04a7bd6

SHA1
903985c33ce607533cf6deb19b13aed83bd97e1a

SHA256
93ac2fc5a1127495112cad16ace27883257d91de544c78c1bf06892d6f86e44b

SHA512
fe1452b12bb64b92ee02452fdcd382c512135894a2d635301dd4f1ed3d1cf584321b6726b51997f39ffcff2b47107bb4e1d9d16bc6817eae5300c45ae6184b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjoxrlrsi.k

Filesize
5KB

MD5
cc754a54f4c748a05942f7676fe5eb50

SHA1
1f22f0c2b3360d16a7ebabca3fe6b023870d9535

SHA256
f7bba681f02389bdb4471bcef5f576db7639879e61d7260ff63ba1185e291fca

SHA512
23ecc16053523547411b7279a0a3493a92daae77974d87cc44c29513f59730049b383ef197a194a77392830481bf51edb6eeeecae285945ec9c845cff656eabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe

Filesize
327KB

MD5
a4cc2d055427ab48e6323360250433e8

SHA1
a88fe1182074a402a28862c66d0ac404116e8a4a

SHA256
d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

SHA512
6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe

Filesize
327KB

MD5
a4cc2d055427ab48e6323360250433e8

SHA1
a88fe1182074a402a28862c66d0ac404116e8a4a

SHA256
d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

SHA512
6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjimhzdgo.exe

Filesize
327KB

MD5
a4cc2d055427ab48e6323360250433e8

SHA1
a88fe1182074a402a28862c66d0ac404116e8a4a

SHA256
d46d25a70976db5f373fb7a2e93adaf9b3ace962dc95d3c45f4f58f5de033f60

SHA512
6f5cae9adaed2d7e982276a075bb69aa6206cec918f74f6f6c207e1066dbb0882ed1368ca2b5f63601f7a3ba786ec9ee31bf471a9eff30ac2a30c5ab2ff11869

Download Submit
memory/3432-153-0x00000000074B0000-0x0000000007546000-memory.dmp

Filesize
600KB

Download
memory/3432-149-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/3432-152-0x0000000006750000-0x000000000676A000-memory.dmp

Filesize
104KB

Download
memory/3432-151-0x0000000007890000-0x0000000007F0A000-memory.dmp

Filesize
6.5MB

Download
memory/3432-154-0x0000000006830000-0x0000000006852000-memory.dmp

Filesize
136KB

Download
memory/3432-150-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/3432-146-0x0000000002930000-0x0000000002966000-memory.dmp

Filesize
216KB

Download
memory/3432-147-0x00000000055B0000-0x0000000005BD8000-memory.dmp

Filesize
6.2MB

Download
memory/3432-148-0x0000000005390000-0x00000000053B2000-memory.dmp

Filesize
136KB

Download
memory/4240-144-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4240-142-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/4240-141-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/4240-140-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/4240-139-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download