masslogger | bcf6f57656f2b70b3c9b7fad7d9ed6a2e1027e00d2733efd6b04eb6827db9355

Resubmissions

12-08-2024 19:06

240812-xsap4azbla 10

11-08-2024 10:57

240811-m2gjws1arh 10

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

795KB
MD5

244ff9e90106994d5a14add8e8483484
SHA1

42a9a0fec6267a15752beb06d838ea21eaefed75
SHA256

655d4b33dd95b286d546c78a9e26e33c3b16b779d5cfb41b62250cb059ae1301
SHA512

3b727ab0e410ff276688196199bb29b26d87734c85f93181784a5e4170decfc7467aa02d1c178c81e1fddd37638567af1045e9c9f1d0bb689f53e18baf03f867
SSDEEP

12288:QZpTV9DFHzw7NU0EXN0c1qRcDnftLEY2D94ymrdbWF9mrgxTmta6GNfnEHLmmJ0:ipTp+kPcRIftn2D94ymp6FqgxkGFaN

Score

10^/10

masslogger discovery spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2852-9-0x0000000008970000-0x0000000008A18000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation file.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2360 2852 WerFault.exe file.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation	file.exe

flow	ioc
4	api.ipify.org

pid	pid_target	process	target process
2360	2852	WerFault.exe	file.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

file.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2084 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

file.exe

pid process

2852 file.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 2852 file.exe

pid	process
2084	schtasks.exe

pid	process
2852	file.exe

description	pid	process
Token: SeDebugPrivilege	2852	file.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

file.exe

description	pid	process	target process
PID 2852 wrote to memory of 2084	2852	file.exe	schtasks.exe
PID 2852 wrote to memory of 2084	2852	file.exe	schtasks.exe
PID 2852 wrote to memory of 2084	2852	file.exe	schtasks.exe
PID 2852 wrote to memory of 2084	2852	file.exe	schtasks.exe
PID 2852 wrote to memory of 2360	2852	file.exe	WerFault.exe
PID 2852 wrote to memory of 2360	2852	file.exe	WerFault.exe
PID 2852 wrote to memory of 2360	2852	file.exe	WerFault.exe
PID 2852 wrote to memory of 2360	2852	file.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UXABia" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp"
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1600
2⤵
- Program crash
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp

Filesize
1KB

MD5
838038852acd401e56a93028ef60e555

SHA1
d941f20c01f25d4fd4c46427887ed8a9c8c39fc5

SHA256
3f717884b7b7966638c250430832352207b4f52c0454270f424c4fa2de0252dd

SHA512
717c92074c02f7f6620e9832896628663e9223e90ce6ff8526957d409c310211af2b062c3ec0fed456c584ff1a184b10cb6585c5e83c08ea0f928f14317f1123

Download Submit
memory/2852-0-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/2852-1-0x0000000000F90000-0x000000000105C000-memory.dmp

Filesize
816KB

Download
memory/2852-2-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2852-3-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2852-4-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2852-5-0x0000000005310000-0x00000000053C0000-memory.dmp

Filesize
704KB

Download
memory/2852-9-0x0000000008970000-0x0000000008A18000-memory.dmp

Filesize
672KB

Download
memory/2852-10-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download