m00nd3v_logger | 1d98e18806cb0b478899854bf39ff2388225501a109405db1816066643224ce8

General

Target

59818 STS 939_pdf.exe
Size

238KB
MD5

696095ddf9ccfeb0f5ae1ed6aac3ade7
SHA1

9f524eb8885d317554d7624ff55be70934b22e56
SHA256

1d98e18806cb0b478899854bf39ff2388225501a109405db1816066643224ce8
SHA512

c5603667d869e707578077591b613e30b27b74636d7883fc1cd664c32492cdec552194a9c0ec890e75a5f058c1915bd6f8d8686fe6b14469549ec04d21b69298

Score

10^/10

m00nd3v_logger rezer0 spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 2 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/1548-12-0x0000000000400000-0x000000000042A000-memory.dmp	m00nd3v_logger
behavioral2/memory/1548-13-0x0000000000424F8E-mapping.dmp	m00nd3v_logger

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/1304-9-0x0000000005FF0000-0x000000000601D000-memory.dmp	rezer0

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

59818 STS 939_pdf.exe

description pid process target process

PID 1304 set thread context of 1548 1304 59818 STS 939_pdf.exe 59818 STS 939_pdf.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2648 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

59818 STS 939_pdf.exe59818 STS 939_pdf.exe

pid process

1304 59818 STS 939_pdf.exe
1548 59818 STS 939_pdf.exe
1548 59818 STS 939_pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

59818 STS 939_pdf.exe59818 STS 939_pdf.exe

description pid process

Token: SeDebugPrivilege 1304 59818 STS 939_pdf.exe
Token: SeDebugPrivilege 1548 59818 STS 939_pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

59818 STS 939_pdf.exe

pid process

1548 59818 STS 939_pdf.exe

flow	ioc
15	bot.whatismyipaddress.com

description	pid	process	target process
PID 1304 set thread context of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe

pid	process
2648	schtasks.exe

pid	process
1304	59818 STS 939_pdf.exe
1548	59818 STS 939_pdf.exe
1548	59818 STS 939_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1304	59818 STS 939_pdf.exe
Token: SeDebugPrivilege	1548	59818 STS 939_pdf.exe

pid	process
1548	59818 STS 939_pdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

59818 STS 939_pdf.exe

description	pid	process	target process
PID 1304 wrote to memory of 2648	1304	59818 STS 939_pdf.exe	schtasks.exe
PID 1304 wrote to memory of 2648	1304	59818 STS 939_pdf.exe	schtasks.exe
PID 1304 wrote to memory of 2648	1304	59818 STS 939_pdf.exe	schtasks.exe
PID 1304 wrote to memory of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe
PID 1304 wrote to memory of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe
PID 1304 wrote to memory of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe
PID 1304 wrote to memory of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe
PID 1304 wrote to memory of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe
PID 1304 wrote to memory of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe
PID 1304 wrote to memory of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe
PID 1304 wrote to memory of 1548	1304	59818 STS 939_pdf.exe	59818 STS 939_pdf.exe

C:\Users\Admin\AppData\Local\Temp\59818 STS 939_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\59818 STS 939_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NwaAjccxqBvx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A13.tmp"
2⤵
- Creates scheduled task(s)
PID:2648

C:\Users\Admin\AppData\Local\Temp\59818 STS 939_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\59818 STS 939_pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\59818 STS 939_pdf.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A13.tmp
MD5
a52321bb8f9c5a34dbab27ad011c8db3

SHA1
23f9c1339e3910cf584039f62238a51464688382

SHA256
3aca764b8d630f08637e9524ca002c71a87fb34a7f90d8a0318168a0daa5717c

SHA512
45b082ea88fc407973fa7219cc8765b7a1c7a002501116c820e9e9d73093917af08832488be22ac3bdfe62de5275dc2bcfda2fcef9c406ef4a551c8635277ff9

Download Submit
memory/1304-9-0x0000000005FF0000-0x000000000601D000-memory.dmp

Filesize
180KB

Download
memory/1304-4-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1304-5-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/1304-6-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/1304-7-0x0000000005790000-0x0000000005793000-memory.dmp

Filesize
12KB

Download
memory/1304-8-0x00000000057B0000-0x00000000057EC000-memory.dmp

Filesize
240KB

Download
memory/1304-0-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/1304-1-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1304-3-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/1548-13-0x0000000000424F8E-mapping.dmp

Download
memory/1548-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1548-15-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/1548-20-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2648-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads