SYMBOLCOMMON_NAMEaka. SYNONYMS
win.masslogger (Back to overview)

MASS Logger

MassLogger is a .NET credential stealer. It starts with a launcher that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload.

References
2021-04-21TalosVanja Svajcer
A year of Fajan evolution and Bloomberg themed campaigns
MASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT
2021-02-22Avast DecodedAnh ho
MassLogger v3: a .NET stealer with serious obfuscation
MASS Logger
2021-02-17Cisco TalosVanja Svajcer
Masslogger campaigns exfiltrates user credentials
MASS Logger
2020-08-26Max Kersten's BlogMax Kersten
ReZer0v4 loader
MASS Logger
2020-08-18Medium mariohenkelMario Henkel
Decrypt MassLogger 2.4.0.0 configuration
MASS Logger
2020-08-06FireEyeNhan Huynh
Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach
MASS Logger
2020-07-31SeqriteAniruddha Dolas
MassLogger: An Emerging Spyware and Keylogger
MASS Logger
2020-06-10GdataAndreas Klopsch
Harmful Logging - Diving into MassLogger
MASS Logger
2020-06-10FR3D.HKFR3D.HK
MassLogger - Frankenstein's Creation
MASS Logger
2020-04-30Twitter (@pancak3lullz)@pancak3lullz
First public tweet on MASS Logger
MASS Logger
Yara Rules
[TLP:WHITE] win_masslogger_w0 (20200608 | No description)
rule win_masslogger_w0 {
    meta:        
        author = "govcert_ch"
        date = "20200604"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger"
        malpedia_rule_date = "20200608"
        malpedia_version = "20200608"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "MassLogger"
        $h1 = "A4E9167DC11A5B8BA7E09C85BAFDEA0B6E0B399CE50086545509017050B33097"
        $h2 = "AAA2C593325A6E943911DFD53B725C28A68B27938765C83DBE2EC87827F002D3"
        $h3 = "BF987C4258B4057871A8F1E5E2A46865B41E73B13409FE2876CA74DC1EB57B7A"
        $h4 = "EFEDAC4C9159D64FC0961D335BB5EC1CBC15F6545FA712EEEA543CD8711D2117"
    condition:
        any of them
}
Download all Yara Rules