m00nd3v_logger | ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a

Analysis

max time kernel
84s
max time network
117s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-07-2022 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe
Size

724KB
MD5

8c801bcd5404e6951355e5a128c95fca
SHA1

0cb59615e4e19d3c56f08998e775c4b40c90ceda
SHA256

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a
SHA512

b065e7ca45322e4fc572160fa46a667146d9f3f86493c71c92d9b038c350797d2eb314900dd84d784f3cacbd0ee56b39ac6046b8a3015b21afb31fb6824e416c

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 7 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/900-66-0x0000000005170000-0x00000000051FE000-memory.dmp	m00nd3v_logger
behavioral1/memory/1804-70-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/1804-71-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/1804-72-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/1804-73-0x0000000000489C4E-mapping.dmp	m00nd3v_logger
behavioral1/memory/1804-77-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger
behavioral1/memory/1804-75-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 7 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/900-66-0x0000000005170000-0x00000000051FE000-memory.dmp	MailPassView
behavioral1/memory/1804-70-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/1804-71-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/1804-72-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/1804-73-0x0000000000489C4E-mapping.dmp	MailPassView
behavioral1/memory/1804-77-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView
behavioral1/memory/1804-75-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/900-66-0x0000000005170000-0x00000000051FE000-memory.dmp	WebBrowserPassView
behavioral1/memory/1804-70-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/1804-71-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/1804-72-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/1804-73-0x0000000000489C4E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1804-77-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView
behavioral1/memory/1804-75-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

resource	yara_rule
behavioral1/memory/900-66-0x0000000005170000-0x00000000051FE000-memory.dmp	Nirsoft
behavioral1/memory/1804-70-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/1804-71-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/1804-72-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/1804-73-0x0000000000489C4E-mapping.dmp	Nirsoft
behavioral1/memory/1804-77-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft
behavioral1/memory/1804-75-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWTzIv.url	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe
900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe
900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 956	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	27
PID 900 wrote to memory of 956	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	27
PID 900 wrote to memory of 956	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	27
PID 900 wrote to memory of 956	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	27
PID 956 wrote to memory of 1992	956	csc.exe	29
PID 956 wrote to memory of 1992	956	csc.exe	29
PID 956 wrote to memory of 1992	956	csc.exe	29
PID 956 wrote to memory of 1992	956	csc.exe	29
PID 900 wrote to memory of 1248	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	30
PID 900 wrote to memory of 1248	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	30
PID 900 wrote to memory of 1248	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	30
PID 900 wrote to memory of 1248	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	30
PID 900 wrote to memory of 1248	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	30
PID 900 wrote to memory of 1248	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	30
PID 900 wrote to memory of 1248	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	30
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31
PID 900 wrote to memory of 1804	900	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	31

C:\Users\Admin\AppData\Local\Temp\ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe
"C:\Users\Admin\AppData\Local\Temp\ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F54.tmp" "c:\Users\Admin\AppData\Local\Temp\otq1o3gz\CSC111FC02BC18F410E885C94BC8D205E40.TMP"
    3⤵
    PID:1992
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1F54.tmp

Filesize
1KB

MD5
b4e3a7cdd7bde7ff64d8079129cdae5d

SHA1
a2b7e24560d520b03d9f3d90759403fbea889693

SHA256
26de2caee564118be0ea8ce813c7640c784fda521539aa71f923a1e5b792b365

SHA512
06a2e3ef3f8257c971e1a7f53c9852a6081934c2cd4e86f2ff76d89f0e224c749304dd87e4633a4a6572aa07522de02eae29ff83993af153d453564b64898305

Download Submit
C:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.dll

Filesize
15KB

MD5
6fdf3035d1ebc77dc259242d5ee249fd

SHA1
4e6aa0b678fd032f0a4d480c720d057c544e3b08

SHA256
2ecef83af7a4beaf9e08356acaf86f9eb229296fd35aca145b7e2ccf1cbbb450

SHA512
00f6ea2503ea02ea2850512961f7112829459734d39f3c470f80cc3d753185363a0c29d365594084cce53ddd601892b8cd8c8f3c2314af2d35b13c0649ccaebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.pdb

Filesize
49KB

MD5
e9275146203d3a3a2a107557c8e907e9

SHA1
5d7a5390adf1ae492acacc7616eef5ef1b7b1f11

SHA256
2dc1532135e6db7815b7018d70a37c5d41bab30cbd96e60a45e4675415e62953

SHA512
653feb7287506a2d39493a1c6fe074463e2b511f650602a692e089e8b503f8ac35eec31ee7904bc3f4e78b63eb605e00268976d4817b5dde8dd5086d5e967c2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\otq1o3gz\CSC111FC02BC18F410E885C94BC8D205E40.TMP

Filesize
1KB

MD5
03a9358663afff169a0bb95336bea3c5

SHA1
cf6fbdd664aa70f97d9fca0770900776f84d4eb1

SHA256
82d82442bc318195c452e26cda59be9943f595c364718091b7827fdb218e098e

SHA512
b39e52d68dcb66e701fc5d7d524ab1b62017330868a0a201c8eb0880cf750e19caaa7efc5bc31af4a1ee1cc23444d62b4c8d709e5207a4598b008f7bdb8ceee0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.0.cs

Filesize
28KB

MD5
7300342b16e28fb27dda1e4c04b59bf6

SHA1
72801e6011d027f8836f55e9eece403ebed3db32

SHA256
20042a0b578f8531f23c3d7f9b4c3a677f301b3c12c25dd7e8d3e952a6665dcf

SHA512
0be481c3b80959c95a46113ba74997a91abd8ac82bf429e5fc7dcc68ed93a35484a6acdc95390bcafc09151f4475d283437bb75acdc23ea74653ee439469a9bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.cmdline

Filesize
248B

MD5
941e77f73c69529f69214b0a0c4b0b9d

SHA1
ee4d789f437d265b347efcd733606c663078e57e

SHA256
a1171dc4c250bdb8530c303152dd6904f2741882fbfda8ba096d5c36f1998bdc

SHA512
a0be03ef164dbbe9b93d5ec54fcdd07c882d4c9aad7da8ef092bcd8abd61b26bd576732a48793262e791fe8466d54eaedc9c98a85f14a04ed796a390e9f71433

Download Submit
memory/900-66-0x0000000005170000-0x00000000051FE000-memory.dmp

Filesize
568KB

Download
memory/900-54-0x0000000001050000-0x000000000110A000-memory.dmp

Filesize
744KB

Download
memory/900-63-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/900-64-0x00000000053F0000-0x000000000548A000-memory.dmp

Filesize
616KB

Download
memory/900-65-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1804-70-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1804-67-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1804-68-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1804-71-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1804-72-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1804-77-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1804-75-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1804-78-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1804-79-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-80-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-81-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download