m00nd3v_logger | 81f47363dc2137c3c6098589833077bc64c4531668d278b93e515ffcfb547303

General

Target

scan0002992, xlxs.exe
Size

724KB
MD5

8c801bcd5404e6951355e5a128c95fca
SHA1

0cb59615e4e19d3c56f08998e775c4b40c90ceda
SHA256

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a
SHA512

b065e7ca45322e4fc572160fa46a667146d9f3f86493c71c92d9b038c350797d2eb314900dd84d784f3cacbd0ee56b39ac6046b8a3015b21afb31fb6824e416c

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/1444-142-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1444-142-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1444-142-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/1444-142-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWTzIv.url	scan0002992, xlxs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 548 set thread context of 1444	548	scan0002992, xlxs.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
548	scan0002992, xlxs.exe
548	scan0002992, xlxs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	scan0002992, xlxs.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1236	548	scan0002992, xlxs.exe	82
PID 548 wrote to memory of 1236	548	scan0002992, xlxs.exe	82
PID 548 wrote to memory of 1236	548	scan0002992, xlxs.exe	82
PID 1236 wrote to memory of 3444	1236	csc.exe	84
PID 1236 wrote to memory of 3444	1236	csc.exe	84
PID 1236 wrote to memory of 3444	1236	csc.exe	84
PID 548 wrote to memory of 1444	548	scan0002992, xlxs.exe	85
PID 548 wrote to memory of 1444	548	scan0002992, xlxs.exe	85
PID 548 wrote to memory of 1444	548	scan0002992, xlxs.exe	85
PID 548 wrote to memory of 1444	548	scan0002992, xlxs.exe	85
PID 548 wrote to memory of 1444	548	scan0002992, xlxs.exe	85
PID 548 wrote to memory of 1444	548	scan0002992, xlxs.exe	85
PID 548 wrote to memory of 1444	548	scan0002992, xlxs.exe	85
PID 548 wrote to memory of 1444	548	scan0002992, xlxs.exe	85

C:\Users\Admin\AppData\Local\Temp\scan0002992, xlxs.exe
"C:\Users\Admin\AppData\Local\Temp\scan0002992, xlxs.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uofun4q4\uofun4q4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB981.tmp" "c:\Users\Admin\AppData\Local\Temp\uofun4q4\CSCC3FFD882285E4A338E863C6F49E1C92.TMP"
    3⤵
    PID:3444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB981.tmp

Filesize
1KB

MD5
faef66f8596ba9a55c52ec2db6b6b9db

SHA1
2f374b31d55388a353774ef5321757da1caaac29

SHA256
80603a0d90c84ba096e2679c1a7f1e9fac5c18a06f8b016289b07368a3c5cd3d

SHA512
e820305d1a2383785bd0e92e0446dc0947a9095529d54545ab161f084c92f39ad02e75d03fe1b37c1f6b64a8f9c23f9109fe8b7ab8e0d4f46c77c28edf4c89af

Download Submit
C:\Users\Admin\AppData\Local\Temp\uofun4q4\uofun4q4.dll

Filesize
15KB

MD5
1a5ae2de0f53b174f00f045e27c26ee7

SHA1
86717dcfb04a69e2de70462716c1e188c3b0fe9f

SHA256
2f4f970f19308d957ead76afff89bd1486e42c1d75b8104afe7adbeaeaffc74b

SHA512
f5aa4bf8e8fb18cf3a2d979f0a3b6e09de74d72f378db395e038f5a9b0bc225c85933deb5394dc607f4a4525a34b4ffd2230e0c61549da8c8d783245f97102d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uofun4q4\uofun4q4.pdb

Filesize
49KB

MD5
c7f78e3cd8ad612acad021f1de7b198a

SHA1
42ee711994b7d3e996043597ed6adb6e1e5fcd17

SHA256
991bf273ead9cb3a2d56843c31f4ca536f93f70b0c35fd3a6da0b7c214431809

SHA512
d6832dcfb6e9a2e2211c1c6d5584eaf9690452d91b5b24c0c6e4ac1749d62a772a7a8ebf0d9e022f905943a449ce4cc82d0c2b221ba67d1482dfa0fbc013ca97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uofun4q4\CSCC3FFD882285E4A338E863C6F49E1C92.TMP

Filesize
1KB

MD5
4b6c591e62a77b0005f7f0e6a4ddfa5c

SHA1
afa1e05cb00cf4eb7f816669f3a23a7255469c87

SHA256
14115f50ab9623a332a76a4ac7237e35bc275cb835340819f7ab6a4ddacfe293

SHA512
89da2e2d5a8c30e8eae73f7923e59ecb1f0dd3e4a0d7bceaef65d15d6dbec75115cb65bc18e0f55d9f1a34e9de8e2edb1780d8df488ca503de866062224d7e91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uofun4q4\uofun4q4.0.cs

Filesize
28KB

MD5
7300342b16e28fb27dda1e4c04b59bf6

SHA1
72801e6011d027f8836f55e9eece403ebed3db32

SHA256
20042a0b578f8531f23c3d7f9b4c3a677f301b3c12c25dd7e8d3e952a6665dcf

SHA512
0be481c3b80959c95a46113ba74997a91abd8ac82bf429e5fc7dcc68ed93a35484a6acdc95390bcafc09151f4475d283437bb75acdc23ea74653ee439469a9bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uofun4q4\uofun4q4.cmdline

Filesize
248B

MD5
937325f25786346856514a3b5b8dc413

SHA1
70a5c2bb12874c803c5ceb3aca16cda2d7760e99

SHA256
ba88054f94878ff5e9ff6bd12b0f773ce1e6cb88176f290b2b9ffb162f5f530c

SHA512
e8e41e3b1f1e5a535f7b1dc8f6e4fdb9433c81256517a1efdd1baf71c32a6a69339f9daefe2b498c9ae1bf590a2efb8841f9d542e2c86e8d4827aeb9146883e4

Download Submit
memory/548-140-0x0000000005FB0000-0x000000000604C000-memory.dmp

Filesize
624KB

Download
memory/548-130-0x0000000000E90000-0x0000000000F4A000-memory.dmp

Filesize
744KB

Download
memory/548-139-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/1444-142-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1444-143-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/1444-144-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/1444-145-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing