m00nd3v_logger | e9c4c8ba7977a65b5aacfda5926b44af00126f6444170a7a955f203c7ec7a4b7

General

Target

APPROVE ORDER .exe
Size

400KB
MD5

96b3b7fcba7348f92c8b0a888f0bc619
SHA1

508fd0984218206747e49d544c829e0b29790f9f
SHA256

ee6195ec1370d529ba036d6ce5f7ca391822519455a57817e1576ac8a45b8b8d
SHA512

6eb3362a08a121e1203bbacd215d8320c772ed55cb97a78fa2e133b0fc58cc067738f820e16a83bc7ee33db9e5df71dd5f8577faf07a9842acffa3e90db67503

Score

10^/10

m00nd3v_logger collection infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4484-138-0x0000000000400000-0x0000000000444000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4484-138-0x0000000000400000-0x0000000000444000-memory.dmp	MailPassView
behavioral2/memory/3936-141-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3936-143-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/3936-144-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/464-149-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/4200-154-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4484-138-0x0000000000400000-0x0000000000444000-memory.dmp	Nirsoft
behavioral2/memory/3936-141-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3936-143-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/3936-144-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/464-149-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/4200-154-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

APPROVE ORDER .exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	APPROVE ORDER .exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

APPROVE ORDER .exeMSBuild.exe

description	pid	process	target process
PID 3856 set thread context of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 4484 set thread context of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 set thread context of 464	4484	MSBuild.exe	vbc.exe
PID 4484 set thread context of 4200	4484	MSBuild.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3184 schtasks.exe

pid	process
3184	schtasks.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

APPROVE ORDER .exeMSBuild.exe

description	pid	process	target process
PID 3856 wrote to memory of 3184	3856	APPROVE ORDER .exe	schtasks.exe
PID 3856 wrote to memory of 3184	3856	APPROVE ORDER .exe	schtasks.exe
PID 3856 wrote to memory of 3184	3856	APPROVE ORDER .exe	schtasks.exe
PID 3856 wrote to memory of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 3856 wrote to memory of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 3856 wrote to memory of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 3856 wrote to memory of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 3856 wrote to memory of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 3856 wrote to memory of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 3856 wrote to memory of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 3856 wrote to memory of 4484	3856	APPROVE ORDER .exe	MSBuild.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 3936	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 464	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe
PID 4484 wrote to memory of 4200	4484	MSBuild.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\APPROVE ORDER .exe
"C:\Users\Admin\AppData\Local\Temp\APPROVE ORDER .exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohsbzTbXG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED04.tmp"
2⤵
- Creates scheduled task(s)
PID:3184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC64.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:3936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFEB4.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF0C6.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:4200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpED04.tmp
Filesize
1KB

MD5
821dd77e88763932070de7e86c0e3315

SHA1
16e275b89d3974f8953a59d56eca5f41d99a169e

SHA256
c50ee4e6fb8a4c13395b7899013dd291068b931dd5ef9013958b29df7304da8a

SHA512
3824a9a63c0992b167483bdfe2b460cc8a67dbaffe8b1c15782247fd2c1682afae2650bfe80d91e1f06375e8fff0ca36bbc132134fe91036bc3bec6304b85e33

Download Submit
memory/464-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/464-145-0x0000000000000000-mapping.dmp

Download
memory/3184-135-0x0000000000000000-mapping.dmp

Download
memory/3856-130-0x0000000000B10000-0x0000000000B7A000-memory.dmp

Filesize
424KB

Download
memory/3856-131-0x0000000007F30000-0x00000000084D4000-memory.dmp

Filesize
5.6MB

Download
memory/3856-132-0x0000000007A20000-0x0000000007AB2000-memory.dmp

Filesize
584KB

Download
memory/3856-133-0x0000000007A00000-0x0000000007A0A000-memory.dmp

Filesize
40KB

Download
memory/3856-134-0x000000000B3A0000-0x000000000B43C000-memory.dmp

Filesize
624KB

Download
memory/3936-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3936-140-0x0000000000000000-mapping.dmp

Download
memory/3936-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3936-144-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4200-150-0x0000000000000000-mapping.dmp

Download
memory/4200-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4484-139-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/4484-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4484-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads