m00nd3v_logger | 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359

General

Target

612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
Size

1.4MB
MD5

bf8f74eb5dee1bb05729a4092481f8c5
SHA1

b78641682de541b52ddc277e317432d904453e82
SHA256

612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359
SHA512

17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral1/memory/1644-69-0x0000000000402000-0x000000000048B200-memory.dmp	m00nd3v_logger
behavioral1/memory/1644-73-0x0000000000402000-0x000000000048B200-memory.dmp	m00nd3v_logger

Executes dropped EXE 1 IoCs

pid	Process
1872	javas.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\javas.DFYk4p0zuTWUN0um.lnk	javas.exe

Loads dropped DLL 1 IoCs

pid	Process
1872	javas.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 1644	1872	javas.exe	30

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	javas.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	javas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
Token: SeDebugPrivilege	1872	javas.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1652	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe	27
PID 1996 wrote to memory of 1652	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe	27
PID 1996 wrote to memory of 1652	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe	27
PID 1996 wrote to memory of 1652	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe	27
PID 1524 wrote to memory of 1872	1524	explorer.exe	29
PID 1524 wrote to memory of 1872	1524	explorer.exe	29
PID 1524 wrote to memory of 1872	1524	explorer.exe	29
PID 1524 wrote to memory of 1872	1524	explorer.exe	29
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30
PID 1872 wrote to memory of 1644	1872	javas.exe	30

C:\Users\Admin\AppData\Local\Temp\612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
"C:\Users\Admin\AppData\Local\Temp\612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\javas.exe
  2⤵
  PID:1652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Roaming\javas.exe
  "C:\Users\Admin\AppData\Roaming\javas.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\javas.exe

Filesize
1.4MB

MD5
bf8f74eb5dee1bb05729a4092481f8c5

SHA1
b78641682de541b52ddc277e317432d904453e82

SHA256
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359

SHA512
17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751

Download Submit
C:\Users\Admin\AppData\Roaming\javas.exe

Filesize
1.4MB

MD5
bf8f74eb5dee1bb05729a4092481f8c5

SHA1
b78641682de541b52ddc277e317432d904453e82

SHA256
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359

SHA512
17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
514B

MD5
c7fa61d67a12b9fd1cab0e0032e3b8e2

SHA1
2c8f45e5f9374a88468e6ad4b7f38513fc0662dd

SHA256
789ee28edc35e4d7ff6fb7ca993eed973a0d1be0a10a92d1923f77bb30508b59

SHA512
d992d8e4edc9fcd9a7c50d8222e1fb4390c369a25077eff0442d3462296dcbae8bd2ccd313a23a7da1f140ea7dd248509093547290541ffa7b41ea44449c2faf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
514B

MD5
c7fa61d67a12b9fd1cab0e0032e3b8e2

SHA1
2c8f45e5f9374a88468e6ad4b7f38513fc0662dd

SHA256
789ee28edc35e4d7ff6fb7ca993eed973a0d1be0a10a92d1923f77bb30508b59

SHA512
d992d8e4edc9fcd9a7c50d8222e1fb4390c369a25077eff0442d3462296dcbae8bd2ccd313a23a7da1f140ea7dd248509093547290541ffa7b41ea44449c2faf

Download Submit
\Users\Admin\AppData\Roaming\javas.exe

Filesize
1.4MB

MD5
bf8f74eb5dee1bb05729a4092481f8c5

SHA1
b78641682de541b52ddc277e317432d904453e82

SHA256
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359

SHA512
17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751

Download Submit
memory/1524-59-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1644-70-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1644-73-0x0000000000402000-0x000000000048B200-memory.dmp

Filesize
548KB

Download
memory/1644-78-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-76-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-71-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1644-69-0x0000000000402000-0x000000000048B200-memory.dmp

Filesize
548KB

Download
memory/1652-58-0x0000000071651000-0x0000000071653000-memory.dmp

Filesize
8KB

Download
memory/1872-68-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1872-65-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1872-77-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-66-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-54-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing