{
	"id": "34a5e5cd-db2f-4fc3-8dcb-cd1d1e715761",
	"created_at": "2026-04-06T00:08:04.283393Z",
	"updated_at": "2026-04-10T13:12:27.943211Z",
	"deleted_at": null,
	"sha1_hash": "fab16035f6eba5193af1756b3886f79590581a04",
	"title": "Decrypt MassLogger 2.4.0.0 configuration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1233672,
	"plain_text": "Decrypt MassLogger 2.4.0.0 configuration\r\nBy NexusFuzzy\r\nPublished: 2020-08-19 · Archived: 2026-04-05 17:53:36 UTC\r\nPress enter or click to view image in full size\r\nThe malware MassLogger has been around for some time and different analysis approaches have been published\r\nin the past — for example by FireEye.\r\nUnfortunately, this approach didn’t work in my case mainly because I later realized that I was dealing with a\r\nMassLogger sample with version 2.4.0.0 while the one analyzed by FireEye seemed to be version 1.3.4.0.\r\nSo, what now? If you are just interested in the used config itsself to find out local and network IOCs I have some\r\ngood news for you.\r\nNote: Those steps only work on the MassLogger binary itsself. In most cases it has to get unpacked before you\r\ncan start to decrypt the config. One easy check is to search with dnSpy for “FtpEnable” or any other value you\r\nknow will be present in the config. If you are able to find these references you are good to go!\r\nTo do this open up dnSpy, load the binary and Edit \u003e Search Assemblies\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7\r\nPage 1 of 5\n\nEdit \u003e Search Assemblies\r\nNow search for “FtpEnable”:\r\nPress enter or click to view image in full size\r\nSearch for FtpEnable was successful and you are looking at the MassLogger sample\r\nNow that we are certain that we are looking at the MassLogger sample itsself (you may have used Yara rules to be\r\ncertain it is MassLogger, too), we can now apply our trick to get all the decrypted config values.\r\nGet NexusFuzzy’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nJust add “AesCryptoServiceProvider” to the search field we used before and open the corresponding search result:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7\r\nPage 2 of 5\n\nOpen AesCryptoServiceProvider from System.Security.Cryptography with a double click\r\nOnce you opened up the file, you set a breakpoint:\r\nPress enter or click to view image in full size\r\nThis way, you will always hit this breakpoint when MassLogger makes use of AES to decrypt its config strings.\r\nWe will need this breakpoint just once to get back to the calling function in the MassLogger binary itsself.\r\nNow you can run the sample (in a sandbox of course) and after some seconds the breakpoint we created will be\r\nhit.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7\r\nPage 3 of 5\n\nBreakpoint was hit\r\nOnce the breakpoint was hit, press Shift + F11 (Step out of function) and you’ll be right back in your MassLogger\r\nbinary where all the decryption takes place.\r\nOnce you are back, you have to find where the function you are currently in returns. In my case it looks like this:\r\nPress enter or click to view image in full size\r\nAdd a breakpoint on the return of the function\r\nNow add a breakpoint to this line. This way, you’ll hit this breakpoint whenever a part of the configuration file\r\ngets decrypted. You can now also safely disable the breakpoint in System.Security.Cryptography since we only\r\nneeded that one to jump back into MassLogger to set our “real” breakpoint.\r\nIf you’ve set your breakpoint and investigate the value of array4 you’ll see:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7\r\nPage 4 of 5\n\nWhich can be dumped and viewed in an editor:\r\nDumped config value\r\nThis process can be repeated for every config item you’re interested in!\r\nSource: https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7\r\nhttps://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7"
	],
	"report_names": [
		"decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7"
	],
	"threat_actors": [],
	"ts_created_at": 1775434084,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fab16035f6eba5193af1756b3886f79590581a04.pdf",
		"text": "https://archive.orkl.eu/fab16035f6eba5193af1756b3886f79590581a04.txt",
		"img": "https://archive.orkl.eu/fab16035f6eba5193af1756b3886f79590581a04.jpg"
	}
}