m00nd3v_logger | ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a

General

Target

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe
Size

724KB
MD5

8c801bcd5404e6951355e5a128c95fca
SHA1

0cb59615e4e19d3c56f08998e775c4b40c90ceda
SHA256

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a
SHA512

b065e7ca45322e4fc572160fa46a667146d9f3f86493c71c92d9b038c350797d2eb314900dd84d784f3cacbd0ee56b39ac6046b8a3015b21afb31fb6824e416c

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral2/memory/4104-143-0x0000000000400000-0x000000000048E000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4104-143-0x0000000000400000-0x000000000048E000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4104-143-0x0000000000400000-0x000000000048E000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4104-143-0x0000000000400000-0x000000000048E000-memory.dmp	Nirsoft

Drops startup file 1 IoCs

Processes:

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PWTzIv.url	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 bot.whatismyipaddress.com

flow	ioc
33	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

description	pid	process	target process
PID 3788 set thread context of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

pid	process
3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe
3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

description pid process

Token: SeDebugPrivilege 3788 ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

description	pid	process
Token: SeDebugPrivilege	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.execsc.exe

description	pid	process	target process
PID 3788 wrote to memory of 4800	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	csc.exe
PID 3788 wrote to memory of 4800	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	csc.exe
PID 3788 wrote to memory of 4800	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	csc.exe
PID 4800 wrote to memory of 4564	4800	csc.exe	cvtres.exe
PID 4800 wrote to memory of 4564	4800	csc.exe	cvtres.exe
PID 4800 wrote to memory of 4564	4800	csc.exe	cvtres.exe
PID 3788 wrote to memory of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe
PID 3788 wrote to memory of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe
PID 3788 wrote to memory of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe
PID 3788 wrote to memory of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe
PID 3788 wrote to memory of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe
PID 3788 wrote to memory of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe
PID 3788 wrote to memory of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe
PID 3788 wrote to memory of 4104	3788	ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe
"C:\Users\Admin\AppData\Local\Temp\ea2b0fcd4c2149b99d1fa98e4f67baeee2b827db770d68ea2202be1402c7e31a.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rpx0nkbq\rpx0nkbq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES734B.tmp" "c:\Users\Admin\AppData\Local\Temp\rpx0nkbq\CSC27096FC93D044B4286FFB8169C1C4E0.TMP"
3⤵
PID:4564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:4104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES734B.tmp
Filesize
1KB

MD5
0bad1a23cd9f63fd820718d4c8c74a02

SHA1
eb8a13f72e68f08aee5331cea12a047848b3a0ba

SHA256
24363ac95036a3c635afed2ee5b251eae00bd08203f76ebf23103e850326ea6f

SHA512
763f3df4c1dfed6f86804d348e1e22cf8ff462abe8d1857ec4332206de288b8df2fef41fabf38b9d54c4b7293061d5a0b14095a3c0d5952cd472e30c751f82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpx0nkbq\rpx0nkbq.dll
Filesize
15KB

MD5
0d72f8641a4e3e6cb4cbf405d1d31d48

SHA1
54bdaaa5eb7fe145b806ae5f1aaa92d4c27826eb

SHA256
21c6df178f1362505cdcfc375f02726644dee172380febfbfc0442b2ef858a0d

SHA512
0b90c5e418b6427e2478637629f0d85d7448a360ba09a67425de67dd51782a02b3934926f2984cb78c642b695ad3f758510a8a2aa84f7a2d60bf38f9e754fb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpx0nkbq\rpx0nkbq.pdb
Filesize
49KB

MD5
6baccaf4cca23c7aa1b43938932823e0

SHA1
60cfe59fef079d30472c242ae5aec75c764bc8a6

SHA256
7f3097b5e31e60f8e3d09cd21c12f7221beec2aed2a845da2dcfa4ad3f7687ad

SHA512
73bf21077eb5b6b8d74b3024e03aa23464ec5c77b9707e76aff0a66c11fe92478717ab7d994e10442203268d1cc034c9b9b5a4298d54da3ec7c45b587bf9ead9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpx0nkbq\CSC27096FC93D044B4286FFB8169C1C4E0.TMP
Filesize
1KB

MD5
b04ba4fdfd295ff638229e4b48186d23

SHA1
30f45d415b608142cf4b484ef5ff59d7982e2baf

SHA256
f5e90aa9ebc187fa2596e3df9984687e957e353de2632e5b88b7d0a3eeb2be09

SHA512
9aaf41983aaea8110ce44ae809b235e943a9493b1b8247613655d8e5079401fbc70b241195bcdf1fed91f1ddf1280e611fe03ba4d3cc2458e0c8e79643a71366

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpx0nkbq\rpx0nkbq.0.cs
Filesize
28KB

MD5
7300342b16e28fb27dda1e4c04b59bf6

SHA1
72801e6011d027f8836f55e9eece403ebed3db32

SHA256
20042a0b578f8531f23c3d7f9b4c3a677f301b3c12c25dd7e8d3e952a6665dcf

SHA512
0be481c3b80959c95a46113ba74997a91abd8ac82bf429e5fc7dcc68ed93a35484a6acdc95390bcafc09151f4475d283437bb75acdc23ea74653ee439469a9bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpx0nkbq\rpx0nkbq.cmdline
Filesize
248B

MD5
3fbc0c2bc63d85787055a472e6352f37

SHA1
1b21cd020e55279368f7e1b8bb8375ee3b84066b

SHA256
e7385e965326886b5a4b5448b7bd059ddbd55a6cf9345dcd0832b93877823cd2

SHA512
d658982913f8ab1ea6e4bcffae99bf77db3d722efc02ccdd175af84c9ec78f91877d48d6f627b30d4ce1230da4b20b3a8cba41ba61d3f456b4cdb831485a57e0

Download Submit
memory/3788-140-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/3788-131-0x0000000000220000-0x00000000002DA000-memory.dmp

Filesize
744KB

Download
memory/3788-141-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/4104-143-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4104-142-0x0000000000000000-mapping.dmp

Download
memory/4104-144-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4104-145-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4104-146-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-135-0x0000000000000000-mapping.dmp

Download
memory/4800-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads