{
	"id": "ad2b7405-e0b3-4c7f-ab64-e6a1d8c3bdd3",
	"created_at": "2026-04-06T00:14:38.50516Z",
	"updated_at": "2026-04-10T13:12:03.707588Z",
	"deleted_at": null,
	"sha1_hash": "0620dd777f4aed156ec5aecddd4360c9eb9bb3c3",
	"title": "Diving into MassLogger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 406879,
	"plain_text": "Diving into MassLogger\r\nBy Andreas Klopsch\r\nPublished: 2020-06-15 · Archived: 2026-04-05 16:57:15 UTC\r\n06/10/2020\r\nHarmful Logging - Diving into MassLogger\r\nReading time: 2 min (542 words)\r\nThere are many things that can be logged on a computer. While not all logging data is useful for the average user,\r\na lot of logging goes on in the background of any system. However: There is good logging and bad logging. We\r\nhave looked at an example of logging you definitely would not want.\r\nOver the last weeks we observed a malware variant named MassLogger which is sold on hacker forums and\r\nadvertised via Youtube videos. It is a .NET malware classified as a credential stealer and spyware, being\r\nweaponized with a variety of routines to steal sensitive data from users, as well as spy on them.\r\nThe use cases for MassLogger vary a lot. However, we observed reports from other researchers and are confident\r\nthat MassLogger is mostly distributed by phishing mails.\r\nModularity\r\nMassLogger is developed to be sold to a wide variety of criminals, therefore it is also highly modular. During our\r\nanalysis, we found flags for various kinds of modules this malware has to offer. These modules are also introduced\r\nby the author. We are confident that customers are able to enable or disable certain features once a purchase is\r\nmade.\r\nMasslogger is usually packed with various packers which implement additional techniques to evade environments\r\nused to analyse malicious binaries. The sample we investigated was packed with at least the CyaX .NET Packer or\r\nreuses its code. One more packing stage was added which was able to detect whether the dnSpy debugger is\r\nattached to it.\r\nhttps://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger\r\nPage 1 of 4\n\nPacker stage looking for dnspy substring in process name\r\nCredential Logging\r\nAs the trend to execute malicious code in memory continues, MassLogger also makes use of this. The sample we\r\ninvestigated starts itself in a new process, allocates executable memory and injects the mentioned routine into the\r\nnewly created process via Process Injection. The new process starts to iterate over files holding login credentials\r\nand writes them into a new file.\r\nThe sample writes credentials, as well as its configuration into a separate log file. It also has the capability to\r\ntake screenshots.\r\nhttps://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger\r\nPage 2 of 4\n\nCreated log file holding information about victim's system and MassLogger's configuration\r\nThe C2 carrier protocol depends on the sample's configuration, the variant we investigated tried to send the results\r\nover SMTP to the c2 server. We also identified that MassLogger can atleast be configured to transfer the logging\r\nresults via FTP to its control server.\r\nhttps://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger\r\nPage 3 of 4\n\nCaptured SMTP traffic to c2 domain\r\nPreventing MassLogger infection and outlook\r\nDuring the creation of this article, we continued to watch MassLogger and its distribution. We believe that\r\nMassLogger will spread and stay alive for at least the next months. So it is recommened to keep an eye on\r\nsuspicious mails, because malicious email attachments are still the most popular way to distribute malware.\r\nFurthermore we suggest to stay updated on the current threat landscape and read cyber security news in order to\r\nproactively defend yourself against cyber security threats.\r\nIoCs\r\nShare Article\r\nSource: https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger\r\nhttps://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger"
	],
	"report_names": [
		"36129-harmful-logging-diving-into-masslogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434478,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0620dd777f4aed156ec5aecddd4360c9eb9bb3c3.pdf",
		"text": "https://archive.orkl.eu/0620dd777f4aed156ec5aecddd4360c9eb9bb3c3.txt",
		"img": "https://archive.orkl.eu/0620dd777f4aed156ec5aecddd4360c9eb9bb3c3.jpg"
	}
}