m00nd3v_logger | 81f47363dc2137c3c6098589833077bc64c4531668d278b93e515ffcfb547303

General

Target

scan0002992, xlxs.exe
Size

724KB
MD5

8c801bcd5404e6951355e5a128c95fca
SHA1

0cb59615e4e19d3c56f08998e775c4b40c90ceda
SHA256

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a
SHA512

b065e7ca45322e4fc572160fa46a667146d9f3f86493c71c92d9b038c350797d2eb314900dd84d784f3cacbd0ee56b39ac6046b8a3015b21afb31fb6824e416c

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/748-66-0x0000000005540000-0x00000000055CE000-memory.dmp	m00nd3v_logger
behavioral1/memory/1800-70-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/1800-73-0x0000000000489C4E-mapping.dmp	m00nd3v_logger
behavioral1/memory/1800-72-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/1800-71-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/1800-75-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/1800-77-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/748-66-0x0000000005540000-0x00000000055CE000-memory.dmp	MailPassView
behavioral1/memory/1800-70-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/1800-73-0x0000000000489C4E-mapping.dmp	MailPassView
behavioral1/memory/1800-72-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/1800-71-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/1800-75-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/1800-77-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/748-66-0x0000000005540000-0x00000000055CE000-memory.dmp	WebBrowserPassView
behavioral1/memory/1800-70-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/1800-73-0x0000000000489C4E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1800-72-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/1800-71-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/1800-75-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/1800-77-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral1/memory/748-66-0x0000000005540000-0x00000000055CE000-memory.dmp	Nirsoft
behavioral1/memory/1800-70-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/1800-73-0x0000000000489C4E-mapping.dmp	Nirsoft
behavioral1/memory/1800-72-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/1800-71-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/1800-75-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/1800-77-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWTzIv.url	scan0002992, xlxs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 1800	748	scan0002992, xlxs.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	scan0002992, xlxs.exe
748	scan0002992, xlxs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	scan0002992, xlxs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1696	748	scan0002992, xlxs.exe	28
PID 748 wrote to memory of 1696	748	scan0002992, xlxs.exe	28
PID 748 wrote to memory of 1696	748	scan0002992, xlxs.exe	28
PID 748 wrote to memory of 1696	748	scan0002992, xlxs.exe	28
PID 1696 wrote to memory of 1188	1696	csc.exe	30
PID 1696 wrote to memory of 1188	1696	csc.exe	30
PID 1696 wrote to memory of 1188	1696	csc.exe	30
PID 1696 wrote to memory of 1188	1696	csc.exe	30
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31
PID 748 wrote to memory of 1800	748	scan0002992, xlxs.exe	31

C:\Users\Admin\AppData\Local\Temp\scan0002992, xlxs.exe
"C:\Users\Admin\AppData\Local\Temp\scan0002992, xlxs.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nizqtrwu\nizqtrwu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEED2.tmp" "c:\Users\Admin\AppData\Local\Temp\nizqtrwu\CSC6339331A5CE24C6D825D891A957A633.TMP"
    3⤵
    PID:1188
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEED2.tmp

Filesize
1KB

MD5
dca9943e69cb77d1135f542bbc7fc280

SHA1
4fc3931dad747e403e21518552f52fefc7d2d8dd

SHA256
fc44b0ee4a255fd081ba2ffdb3d79f2af12f309b37323a8058b256882680c2fb

SHA512
aad495a282bb8a5617e6eede13f118fa0fbd0d0f53d347a45e5609b9ec16a1fec1e56f7ae3d5d0fbc9b420ffc7678f3a2ce463af289cd60270376a2174f64324

Download Submit
C:\Users\Admin\AppData\Local\Temp\nizqtrwu\nizqtrwu.dll

Filesize
15KB

MD5
d6f9367087cc91693a04d123d6f799f2

SHA1
2e1da390bea26e4eb7803c2036a41136181e840a

SHA256
bbe2e01277ed488519a740bc83124e84725a01d08d17ea206e9a6fb288862d6b

SHA512
b1dd2f1fe140f9260074604c5831cc07d1b7c1927e342adbbc6b7841735cca070ae44fe96aee10cedcb2e9966fadc1b2b21e24c3d6ab9284889536632fa08cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nizqtrwu\nizqtrwu.pdb

Filesize
49KB

MD5
a875ec65b651f866456f07c0cfec7c62

SHA1
176312e3ba231d27f64884687e49da86f0dad859

SHA256
5717f4b4b748e86083063a4ce3e95d0979ffd5f0a777359284ba7150edc5ff64

SHA512
4999fd55794d32aac0fdf9b833f0d7595bfbc8c7d08c28edf1b8f54e8c62e80d90bf90c43f311dd908c8f6d73174425f9d81898d6bee1910d44b26824dfab693

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nizqtrwu\CSC6339331A5CE24C6D825D891A957A633.TMP

Filesize
1KB

MD5
a4c2d37c54f391e5206584dd74fe68db

SHA1
d43042c25cc0b35078bac6376a0ac9232eea725a

SHA256
09a9b0ef8beb1b459fb84a58ec54039d0ee3697c779f777ffccc8c7739c22b94

SHA512
a3f645960b373fda4c95994c85cec41fcd8ee8eb787746cbe511047c4f1488e9990a08a27a54228e9fb71cefee32d5be9610de2eebab6cfa2027d8febbd63bad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nizqtrwu\nizqtrwu.0.cs

Filesize
28KB

MD5
7300342b16e28fb27dda1e4c04b59bf6

SHA1
72801e6011d027f8836f55e9eece403ebed3db32

SHA256
20042a0b578f8531f23c3d7f9b4c3a677f301b3c12c25dd7e8d3e952a6665dcf

SHA512
0be481c3b80959c95a46113ba74997a91abd8ac82bf429e5fc7dcc68ed93a35484a6acdc95390bcafc09151f4475d283437bb75acdc23ea74653ee439469a9bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nizqtrwu\nizqtrwu.cmdline

Filesize
248B

MD5
70fc2f3480e8072867e52b7fc2991ca4

SHA1
c340c8352b64d28e85d31a54513db2a2b96453ef

SHA256
6bf266ecf352cace1722ae985d3d9d3b8d351d06bd9cb19397d4ea0cd2c8776a

SHA512
3de03643b2adc867662f46a96a2e9932ee4bc92b5881268850340ef71ac9f8e244c85c92c7a996009c6a97bad745b0cd516049c5ad9eac3a458ac3a04e41819c

Download Submit
memory/748-66-0x0000000005540000-0x00000000055CE000-memory.dmp

Filesize
568KB

Download
memory/748-63-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/748-64-0x0000000005330000-0x00000000053CA000-memory.dmp

Filesize
616KB

Download
memory/748-65-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/748-54-0x00000000002C0000-0x000000000037A000-memory.dmp

Filesize
744KB

Download
memory/1800-70-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1800-68-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1800-67-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1800-72-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1800-71-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1800-75-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1800-77-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1800-78-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1800-79-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-80-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-81-0x0000000074180000-0x000000007472B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing