m00nd3v_logger | 49115966741915c3cf2ff0ea0298fd73d00da665eff5f5595f35957ac40a00a7

General

Target

scan0002992, xlxs.exe
Size

724KB
MD5

8c801bcd5404e6951355e5a128c95fca
SHA1

0cb59615e4e19d3c56f08998e775c4b40c90ceda
SHA256

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a
SHA512

b065e7ca45322e4fc572160fa46a667146d9f3f86493c71c92d9b038c350797d2eb314900dd84d784f3cacbd0ee56b39ac6046b8a3015b21afb31fb6824e416c

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/2840-142-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2840-142-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2840-142-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/2840-142-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWTzIv.url	scan0002992, xlxs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3660 set thread context of 2840	3660	scan0002992, xlxs.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3660	scan0002992, xlxs.exe
3660	scan0002992, xlxs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	scan0002992, xlxs.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1808	3660	scan0002992, xlxs.exe	81
PID 3660 wrote to memory of 1808	3660	scan0002992, xlxs.exe	81
PID 3660 wrote to memory of 1808	3660	scan0002992, xlxs.exe	81
PID 1808 wrote to memory of 2624	1808	csc.exe	83
PID 1808 wrote to memory of 2624	1808	csc.exe	83
PID 1808 wrote to memory of 2624	1808	csc.exe	83
PID 3660 wrote to memory of 2840	3660	scan0002992, xlxs.exe	84
PID 3660 wrote to memory of 2840	3660	scan0002992, xlxs.exe	84
PID 3660 wrote to memory of 2840	3660	scan0002992, xlxs.exe	84
PID 3660 wrote to memory of 2840	3660	scan0002992, xlxs.exe	84
PID 3660 wrote to memory of 2840	3660	scan0002992, xlxs.exe	84
PID 3660 wrote to memory of 2840	3660	scan0002992, xlxs.exe	84
PID 3660 wrote to memory of 2840	3660	scan0002992, xlxs.exe	84
PID 3660 wrote to memory of 2840	3660	scan0002992, xlxs.exe	84

C:\Users\Admin\AppData\Local\Temp\scan0002992, xlxs.exe
"C:\Users\Admin\AppData\Local\Temp\scan0002992, xlxs.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mkowsmbq\mkowsmbq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD594.tmp" "c:\Users\Admin\AppData\Local\Temp\mkowsmbq\CSCC931BF1428694FA383957D7814DCA44.TMP"
    3⤵
    PID:2624
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD594.tmp

Filesize
1KB

MD5
08a5548e457320094f975bde8ed5968e

SHA1
db91bfb7fdc79f8171e2ef36fb4473d0eb857d36

SHA256
0f5b1ede5b0d3bed87f519aa6111d15b72327f2576f848922335eb2eab00d4cb

SHA512
f56e03b839a2a0f4c91dabfdd5e073ecc3e19a328f2b8b63956c0fb1566d7ff811d20431cd14e3558e2c0858ab2563f0e6033a5d2b413bd4c0b6fa9d3f36fdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkowsmbq\mkowsmbq.dll

Filesize
15KB

MD5
6bfd57b2aae93c0436d341b108ce7036

SHA1
66d068b15b7821345878fa7917d8ee198ff935cf

SHA256
72665e1f5810c8f4e08e7ad4f1aac0b1d38d8d879c2a9e3da00e7e152909cc83

SHA512
b1ea544430e878766149b248c3f6683c181c15927cc44d5872a22b907a59b2da9f39a6768db2606fb403398b9b777e59bc3e9eca47317493072a874efa478475

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkowsmbq\mkowsmbq.pdb

Filesize
49KB

MD5
ed9bc27cb2b4393cb7e8fb06b5edc586

SHA1
21dece5f63535afe85b3e39ff463f20369dce41a

SHA256
c022b479b27f1567b4e3a1d632fcf678a9b91f05f39395ba5fe484acb2be8554

SHA512
1223293adb026548da39772652c30d4e91394cd2000044cc55a3141819e0565e3f1891aa992e682cede3497970cc5f1cdf77ec2c16f16dd2e68a5029f12cbf26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mkowsmbq\CSCC931BF1428694FA383957D7814DCA44.TMP

Filesize
1KB

MD5
6e00ed4dc22630e2b026a7cb144a500e

SHA1
19b2366e092700910ad6a5cbd42063b1a084cc8d

SHA256
ac085e3ac4264231665651ecdabca5776665336ad446b12c80038d3f05407ced

SHA512
9d0dffd29a47db09c9021009349223c547343af3dc1877e4b9644dec3d5580d2e206e470c24f6c5ec3fa2f750d358dfa6fb2871b9359f0aa6901b27bca23334e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mkowsmbq\mkowsmbq.0.cs

Filesize
28KB

MD5
7300342b16e28fb27dda1e4c04b59bf6

SHA1
72801e6011d027f8836f55e9eece403ebed3db32

SHA256
20042a0b578f8531f23c3d7f9b4c3a677f301b3c12c25dd7e8d3e952a6665dcf

SHA512
0be481c3b80959c95a46113ba74997a91abd8ac82bf429e5fc7dcc68ed93a35484a6acdc95390bcafc09151f4475d283437bb75acdc23ea74653ee439469a9bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mkowsmbq\mkowsmbq.cmdline

Filesize
248B

MD5
b4c337ffde4844479c5684f75349b0d1

SHA1
5a0ef2f6fa137022a58fb4279ad800dff088ef36

SHA256
a894f300b7f21192ff4e74f187710346f94918c8be13f164c8ac7b150700799e

SHA512
5f07f08602425def38d63bb67022d6fb9ce81e281478af51ccefa1f738b67b65281eb990185d55cc8bc07c8c5fd82f4398bc62f6c909da25bfbbb28778623f16

Download Submit
memory/2840-142-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2840-143-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/2840-144-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/2840-145-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/3660-130-0x0000000000970000-0x0000000000A2A000-memory.dmp

Filesize
744KB

Download
memory/3660-139-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/3660-140-0x0000000005A60000-0x0000000005AFC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing