m00nd3v_logger | 49115966741915c3cf2ff0ea0298fd73d00da665eff5f5595f35957ac40a00a7

General

Target

scan0002992, xlxs.exe
Size

724KB
MD5

8c801bcd5404e6951355e5a128c95fca
SHA1

0cb59615e4e19d3c56f08998e775c4b40c90ceda
SHA256

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a
SHA512

b065e7ca45322e4fc572160fa46a667146d9f3f86493c71c92d9b038c350797d2eb314900dd84d784f3cacbd0ee56b39ac6046b8a3015b21afb31fb6824e416c

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1684-66-0x00000000051C0000-0x000000000524E000-memory.dmp	m00nd3v_logger
behavioral1/memory/876-70-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/876-71-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/876-72-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/876-73-0x0000000000489C4E-mapping.dmp	m00nd3v_logger
behavioral1/memory/876-75-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/876-77-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1684-66-0x00000000051C0000-0x000000000524E000-memory.dmp	MailPassView
behavioral1/memory/876-70-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/876-71-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/876-72-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/876-73-0x0000000000489C4E-mapping.dmp	MailPassView
behavioral1/memory/876-75-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/876-77-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1684-66-0x00000000051C0000-0x000000000524E000-memory.dmp	WebBrowserPassView
behavioral1/memory/876-70-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/876-71-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/876-72-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/876-73-0x0000000000489C4E-mapping.dmp	WebBrowserPassView
behavioral1/memory/876-75-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/876-77-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral1/memory/1684-66-0x00000000051C0000-0x000000000524E000-memory.dmp	Nirsoft
behavioral1/memory/876-70-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/876-71-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/876-72-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/876-73-0x0000000000489C4E-mapping.dmp	Nirsoft
behavioral1/memory/876-75-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/876-77-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWTzIv.url	scan0002992, xlxs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 876	1684	scan0002992, xlxs.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1684	scan0002992, xlxs.exe
1684	scan0002992, xlxs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	scan0002992, xlxs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 284	1684	scan0002992, xlxs.exe	28
PID 1684 wrote to memory of 284	1684	scan0002992, xlxs.exe	28
PID 1684 wrote to memory of 284	1684	scan0002992, xlxs.exe	28
PID 1684 wrote to memory of 284	1684	scan0002992, xlxs.exe	28
PID 284 wrote to memory of 1656	284	csc.exe	30
PID 284 wrote to memory of 1656	284	csc.exe	30
PID 284 wrote to memory of 1656	284	csc.exe	30
PID 284 wrote to memory of 1656	284	csc.exe	30
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31
PID 1684 wrote to memory of 876	1684	scan0002992, xlxs.exe	31

C:\Users\Admin\AppData\Local\Temp\scan0002992, xlxs.exe
"C:\Users\Admin\AppData\Local\Temp\scan0002992, xlxs.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nm4pecfx\nm4pecfx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61B1.tmp" "c:\Users\Admin\AppData\Local\Temp\nm4pecfx\CSC3EC4A580F2104EFD91651C6495D73E4.TMP"
    3⤵
    PID:1656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES61B1.tmp

Filesize
1KB

MD5
9716481633f3bf693f1e5be977bfce21

SHA1
2edcde8dbe29fca1cb9462d407e012a76f924866

SHA256
f29b9d5d5cc8396370dff07ad7d14e48f11309fba6e6af884cb5bc6dabe65cc1

SHA512
a772e7c7a019a23abf4261195115f423beb4703bbb1b9bf8d38893ada76efd15a35fa8aa9ba29efdd69526035a67c873e9bb6973960dfa7df55c396be2bbfb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\nm4pecfx\nm4pecfx.dll

Filesize
15KB

MD5
11afdb43c2479898c87b438d2d3c1c79

SHA1
7d275e99de20e304ec4f035fc75293bde24f203c

SHA256
bcd52586df55708c08a639c5908f9e0462e4a7c1038c158e2e7974640dc21f0a

SHA512
a15bf6b4b0492db55c139892b5008170a9a6b1c6f8b1398cbe4098b9e3750a06bb27088835f76c35a0ad52ed0f9fe8b25377ffe01fdb940514aac4f43177f51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nm4pecfx\nm4pecfx.pdb

Filesize
49KB

MD5
029bf1f019d5eb01a7a0bf9e9d776776

SHA1
c5561d5704b85da527b72fb518d1117171b5823a

SHA256
8fb7b4945d4482eaa713b3c36b570e3a2d3ae21264ed2674f99b51131e04ae0a

SHA512
02df556511fae0839e681bba5c1e6308b87c0790093f3cf1137e4c1ef5c6c4ab86e46bd411496b8d37294010d945b0c52cb50ff910f13c1f38f8719e40e812fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nm4pecfx\CSC3EC4A580F2104EFD91651C6495D73E4.TMP

Filesize
1KB

MD5
c583de7e5a688c5c9aab71d95baed8aa

SHA1
f53a4c0be5fa95a59b55486670f59674c4bc44e8

SHA256
aa4a2f44175323371f672e4b52b3ea9a285250fe40c802ff4028a3787b4ea2f5

SHA512
f5de1406310ebf446c221114cb4fc5331696b2bb10f2c9f0d9a46c5093e60928f06af95ec760db416bd3ad561e8c3b5eee453e26d6af4000ec92f03918800ed9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nm4pecfx\nm4pecfx.0.cs

Filesize
28KB

MD5
7300342b16e28fb27dda1e4c04b59bf6

SHA1
72801e6011d027f8836f55e9eece403ebed3db32

SHA256
20042a0b578f8531f23c3d7f9b4c3a677f301b3c12c25dd7e8d3e952a6665dcf

SHA512
0be481c3b80959c95a46113ba74997a91abd8ac82bf429e5fc7dcc68ed93a35484a6acdc95390bcafc09151f4475d283437bb75acdc23ea74653ee439469a9bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nm4pecfx\nm4pecfx.cmdline

Filesize
248B

MD5
78ea4a5a7f5cb79f1472ec7eca72ef52

SHA1
e81e2e105c5987b291be4cf9ad61723b546c9027

SHA256
216dcee332ffb537055a62b59463639e77a20c830d562f539e4b31731177d038

SHA512
99068a0c7de1968a032b19d7787ac61f247cb2fc0f82a57c6dd6e9be00870a3dcbb32e3f9c36cec0755fa63ce297de519e92c00c421c3fcaf164d01d62c538a0

Download Submit
memory/876-77-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/876-81-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/876-80-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/876-79-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/876-78-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/876-70-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/876-71-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/876-68-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/876-72-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/876-67-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/876-75-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1684-54-0x0000000000BF0000-0x0000000000CAA000-memory.dmp

Filesize
744KB

Download
memory/1684-66-0x00000000051C0000-0x000000000524E000-memory.dmp

Filesize
568KB

Download
memory/1684-65-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1684-64-0x0000000004FE0000-0x000000000507A000-memory.dmp

Filesize
616KB

Download
memory/1684-63-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing