Overview

overview

10

Static

static

ea2b0fcd4c...1a.exe

windows7_x64

10

ea2b0fcd4c...1a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    84s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14-07-2022 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

  • Size

    724KB

  • MD5

    8c801bcd5404e6951355e5a128c95fca

  • SHA1

    0cb59615e4e19d3c56f08998e775c4b40c90ceda

  • SHA256

    ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a

  • SHA512

    b065e7ca45322e4fc572160fa46a667146d9f3f86493c71c92d9b038c350797d2eb314900dd84d784f3cacbd0ee56b39ac6046b8a3015b21afb31fb6824e416c

Score
10/10
m00nd3v_loggerinfostealerspywarestealer

Malware Config

Signatures

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 7 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 7 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe
    "C:\Users\Admin\AppData\Local\Temp\ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F54.tmp" "c:\Users\Admin\AppData\Local\Temp\otq1o3gz\CSC111FC02BC18F410E885C94BC8D205E40.TMP"
        3⤵
          PID:1992
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
          PID:1248
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          2⤵
            PID:1804

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES1F54.tmp
          Filesize

          1KB

          MD5

          b4e3a7cdd7bde7ff64d8079129cdae5d

          SHA1

          a2b7e24560d520b03d9f3d90759403fbea889693

          SHA256

          26de2caee564118be0ea8ce813c7640c784fda521539aa71f923a1e5b792b365

          SHA512

          06a2e3ef3f8257c971e1a7f53c9852a6081934c2cd4e86f2ff76d89f0e224c749304dd87e4633a4a6572aa07522de02eae29ff83993af153d453564b64898305

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.dll
          Filesize

          15KB

          MD5

          6fdf3035d1ebc77dc259242d5ee249fd

          SHA1

          4e6aa0b678fd032f0a4d480c720d057c544e3b08

          SHA256

          2ecef83af7a4beaf9e08356acaf86f9eb229296fd35aca145b7e2ccf1cbbb450

          SHA512

          00f6ea2503ea02ea2850512961f7112829459734d39f3c470f80cc3d753185363a0c29d365594084cce53ddd601892b8cd8c8f3c2314af2d35b13c0649ccaebe

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.pdb
          Filesize

          49KB

          MD5

          e9275146203d3a3a2a107557c8e907e9

          SHA1

          5d7a5390adf1ae492acacc7616eef5ef1b7b1f11

          SHA256

          2dc1532135e6db7815b7018d70a37c5d41bab30cbd96e60a45e4675415e62953

          SHA512

          653feb7287506a2d39493a1c6fe074463e2b511f650602a692e089e8b503f8ac35eec31ee7904bc3f4e78b63eb605e00268976d4817b5dde8dd5086d5e967c2b

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\otq1o3gz\CSC111FC02BC18F410E885C94BC8D205E40.TMP
          Filesize

          1KB

          MD5

          03a9358663afff169a0bb95336bea3c5

          SHA1

          cf6fbdd664aa70f97d9fca0770900776f84d4eb1

          SHA256

          82d82442bc318195c452e26cda59be9943f595c364718091b7827fdb218e098e

          SHA512

          b39e52d68dcb66e701fc5d7d524ab1b62017330868a0a201c8eb0880cf750e19caaa7efc5bc31af4a1ee1cc23444d62b4c8d709e5207a4598b008f7bdb8ceee0

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.0.cs
          Filesize

          28KB

          MD5

          7300342b16e28fb27dda1e4c04b59bf6

          SHA1

          72801e6011d027f8836f55e9eece403ebed3db32

          SHA256

          20042a0b578f8531f23c3d7f9b4c3a677f301b3c12c25dd7e8d3e952a6665dcf

          SHA512

          0be481c3b80959c95a46113ba74997a91abd8ac82bf429e5fc7dcc68ed93a35484a6acdc95390bcafc09151f4475d283437bb75acdc23ea74653ee439469a9bc

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\otq1o3gz\otq1o3gz.cmdline
          Filesize

          248B

          MD5

          941e77f73c69529f69214b0a0c4b0b9d

          SHA1

          ee4d789f437d265b347efcd733606c663078e57e

          SHA256

          a1171dc4c250bdb8530c303152dd6904f2741882fbfda8ba096d5c36f1998bdc

          SHA512

          a0be03ef164dbbe9b93d5ec54fcdd07c882d4c9aad7da8ef092bcd8abd61b26bd576732a48793262e791fe8466d54eaedc9c98a85f14a04ed796a390e9f71433

          Download Submit
        • memory/900-66-0x0000000005170000-0x00000000051FE000-memory.dmp
          Filesize

          568KB

          Download
        • memory/900-54-0x0000000001050000-0x000000000110A000-memory.dmp
          Filesize

          744KB

          Download
        • memory/900-63-0x0000000000470000-0x000000000047A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/900-64-0x00000000053F0000-0x000000000548A000-memory.dmp
          Filesize

          616KB

          Download
        • memory/900-65-0x00000000004D0000-0x00000000004DC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/956-55-0x0000000000000000-mapping.dmp
          Download
        • memory/1804-70-0x0000000000400000-0x000000000048E000-memory.dmp
          Filesize

          568KB

          Download
        • memory/1804-67-0x0000000000400000-0x000000000048E000-memory.dmp
          Filesize

          568KB

          Download
        • memory/1804-68-0x0000000000400000-0x000000000048E000-memory.dmp
          Filesize

          568KB

          Download
        • memory/1804-71-0x0000000000400000-0x000000000048E000-memory.dmp
          Filesize

          568KB

          Download
        • memory/1804-72-0x0000000000400000-0x000000000048E000-memory.dmp
          Filesize

          568KB

          Download
        • memory/1804-73-0x0000000000489C4E-mapping.dmp
          Download
        • memory/1804-77-0x0000000000400000-0x000000000048E000-memory.dmp
          Filesize

          568KB

          Download
        • memory/1804-75-0x0000000000400000-0x000000000048E000-memory.dmp
          Filesize

          568KB

          Download
        • memory/1804-78-0x00000000763E1000-0x00000000763E3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1804-79-0x00000000744E0000-0x0000000074A8B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1804-80-0x00000000744E0000-0x0000000074A8B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1804-81-0x00000000744E0000-0x0000000074A8B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1992-58-0x0000000000000000-mapping.dmp
          Download