SYMBOLCOMMON_NAMEaka. SYNONYMS
win.masslogger (Back to overview)

MASS Logger


MassLogger is a .NET credential stealer. It starts with a launcher that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload.

References
2020-08-26Max Kersten's BlogMax Kersten
@online{kersten:20200826:rezer0v4:3bc357a, author = {Max Kersten}, title = {{ReZer0v4 loader}}, date = {2020-08-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/}, language = {English}, urldate = {2020-08-27} } ReZer0v4 loader
MASS Logger
2020-08-18Medium mariohenkelMario Henkel
@online{henkel:20200818:decrypt:e395f6d, author = {Mario Henkel}, title = {{Decrypt MassLogger 2.4.0.0 configuration}}, date = {2020-08-18}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7}, language = {English}, urldate = {2020-08-18} } Decrypt MassLogger 2.4.0.0 configuration
MASS Logger
2020-08-06FireEyeNhan Huynh
@online{huynh:20200806:bypassing:83c2a87, author = {Nhan Huynh}, title = {{Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach}}, date = {2020-08-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html}, language = {English}, urldate = {2020-08-12} } Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach
MASS Logger
2020-07-31SeqriteAniruddha Dolas
@online{dolas:20200731:masslogger:b17ff73, author = {Aniruddha Dolas}, title = {{MassLogger: An Emerging Spyware and Keylogger}}, date = {2020-07-31}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/}, language = {English}, urldate = {2020-08-05} } MassLogger: An Emerging Spyware and Keylogger
MASS Logger
2020-06-10GdataAndreas Klopsch
@online{klopsch:20200610:harmful:c46175f, author = {Andreas Klopsch}, title = {{Harmful Logging - Diving into MassLogger}}, date = {2020-06-10}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger}, language = {English}, urldate = {2020-06-10} } Harmful Logging - Diving into MassLogger
MASS Logger
2020-06-10FR3D.HKFR3D.HK
@online{fr3dhk:20200610:masslogger:c1f2c2f, author = {FR3D.HK}, title = {{MassLogger - Frankenstein's Creation}}, date = {2020-06-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/masslogger-frankenstein-s-creation}, language = {English}, urldate = {2020-06-18} } MassLogger - Frankenstein's Creation
MASS Logger
2020-04-30Twitter (@pancak3lullz)@pancak3lullz
@online{pancak3lullz:20200430:first:1bc2560, author = {@pancak3lullz}, title = {{First public tweet on MASS Logger}}, date = {2020-04-30}, organization = {Twitter (@pancak3lullz)}, url = {https://twitter.com/pancak3lullz/status/1255893734241304576}, language = {English}, urldate = {2020-05-18} } First public tweet on MASS Logger
MASS Logger
Yara Rules
[TLP:WHITE] win_masslogger_w0 (20200608 | No description)
rule win_masslogger_w0 {
    meta:        
        author = "govcert_ch"
        date = "20200604"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger"
        malpedia_rule_date = "20200608"
        malpedia_version = "20200608"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "MassLogger"
        $h1 = "A4E9167DC11A5B8BA7E09C85BAFDEA0B6E0B399CE50086545509017050B33097"
        $h2 = "AAA2C593325A6E943911DFD53B725C28A68B27938765C83DBE2EC87827F002D3"
        $h3 = "BF987C4258B4057871A8F1E5E2A46865B41E73B13409FE2876CA74DC1EB57B7A"
        $h4 = "EFEDAC4C9159D64FC0961D335BB5EC1CBC15F6545FA712EEEA543CD8711D2117"
    condition:
        any of them
}
Download all Yara Rules