m00nd3v_logger | 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359

General

Target

612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
Size

1.4MB
MD5

bf8f74eb5dee1bb05729a4092481f8c5
SHA1

b78641682de541b52ddc277e317432d904453e82
SHA256

612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359
SHA512

17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751

Score

10^/10

m00nd3v_logger infostealer spyware stealer

Malware Config

Signatures

M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
behavioral1/memory/1644-69-0x0000000000402000-0x000000000048B200-memory.dmp	m00nd3v_logger
behavioral1/memory/1644-73-0x0000000000402000-0x000000000048B200-memory.dmp	m00nd3v_logger

Executes dropped EXE 1 IoCs

Processes:

javas.exe

pid process

1872 javas.exe
Drops startup file 1 IoCs

Processes:

javas.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\javas.DFYk4p0zuTWUN0um.lnk javas.exe
Loads dropped DLL 1 IoCs

Processes:

javas.exe

pid process

1872 javas.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

javas.exe

description pid process target process

PID 1872 set thread context of 1644 1872 javas.exe RegAsm.exe

pid	process
1872	javas.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\javas.DFYk4p0zuTWUN0um.lnk	javas.exe

pid	process
1872	javas.exe

flow	ioc
4	bot.whatismyipaddress.com

description	pid	process	target process
PID 1872 set thread context of 1644	1872	javas.exe	RegAsm.exe

Drops file in Windows directory 4 IoCs

Processes:

612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exejavas.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	javas.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	javas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exejavas.exe

description	pid	process
Token: SeDebugPrivilege	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
Token: SeDebugPrivilege	1872	javas.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exeexplorer.exejavas.exe

description	pid	process	target process
PID 1996 wrote to memory of 1652	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe	explorer.exe
PID 1996 wrote to memory of 1652	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe	explorer.exe
PID 1996 wrote to memory of 1652	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe	explorer.exe
PID 1996 wrote to memory of 1652	1996	612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe	explorer.exe
PID 1524 wrote to memory of 1872	1524	explorer.exe	javas.exe
PID 1524 wrote to memory of 1872	1524	explorer.exe	javas.exe
PID 1524 wrote to memory of 1872	1524	explorer.exe	javas.exe
PID 1524 wrote to memory of 1872	1524	explorer.exe	javas.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe
PID 1872 wrote to memory of 1644	1872	javas.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
"C:\Users\Admin\AppData\Local\Temp\612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\javas.exe
2⤵
PID:1652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\javas.exe
"C:\Users\Admin\AppData\Roaming\javas.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\javas.exe
Filesize
1.4MB

MD5
bf8f74eb5dee1bb05729a4092481f8c5

SHA1
b78641682de541b52ddc277e317432d904453e82

SHA256
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359

SHA512
17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751

Download Submit
C:\Users\Admin\AppData\Roaming\javas.exe
Filesize
1.4MB

MD5
bf8f74eb5dee1bb05729a4092481f8c5

SHA1
b78641682de541b52ddc277e317432d904453e82

SHA256
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359

SHA512
17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
514B

MD5
c7fa61d67a12b9fd1cab0e0032e3b8e2

SHA1
2c8f45e5f9374a88468e6ad4b7f38513fc0662dd

SHA256
789ee28edc35e4d7ff6fb7ca993eed973a0d1be0a10a92d1923f77bb30508b59

SHA512
d992d8e4edc9fcd9a7c50d8222e1fb4390c369a25077eff0442d3462296dcbae8bd2ccd313a23a7da1f140ea7dd248509093547290541ffa7b41ea44449c2faf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
c7fa61d67a12b9fd1cab0e0032e3b8e2

SHA1
2c8f45e5f9374a88468e6ad4b7f38513fc0662dd

SHA256
789ee28edc35e4d7ff6fb7ca993eed973a0d1be0a10a92d1923f77bb30508b59

SHA512
d992d8e4edc9fcd9a7c50d8222e1fb4390c369a25077eff0442d3462296dcbae8bd2ccd313a23a7da1f140ea7dd248509093547290541ffa7b41ea44449c2faf

Download Submit
\Users\Admin\AppData\Roaming\javas.exe
Filesize
1.4MB

MD5
bf8f74eb5dee1bb05729a4092481f8c5

SHA1
b78641682de541b52ddc277e317432d904453e82

SHA256
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359

SHA512
17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751

Download Submit
memory/1524-59-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1644-70-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1644-73-0x0000000000402000-0x000000000048B200-memory.dmp

Filesize
548KB

Download
memory/1644-78-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-76-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-71-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1644-69-0x0000000000402000-0x000000000048B200-memory.dmp

Filesize
548KB

Download
memory/1652-56-0x0000000000000000-mapping.dmp

Download
memory/1652-58-0x0000000071651000-0x0000000071653000-memory.dmp

Filesize
8KB

Download
memory/1872-68-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1872-61-0x0000000000000000-mapping.dmp

Download
memory/1872-65-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1872-77-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-66-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-54-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads