Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 02:02
Static task
static1
Behavioral task
behavioral1
Sample
8875ae2d57289e7589027bd085c7c17a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8875ae2d57289e7589027bd085c7c17a.exe
Resource
win10v2004-20240508-en
General
-
Target
8875ae2d57289e7589027bd085c7c17a.exe
-
Size
699KB
-
MD5
8875ae2d57289e7589027bd085c7c17a
-
SHA1
8ef58bda3235b6cac0dce3f977d194c0d33cb694
-
SHA256
71ba0f2207724fdcd6ae946c22683e8208ea2da4ef1d0026f08966eaeaf39d1f
-
SHA512
31a00a7fe10cbb922605289403b90f5bdd35520780742141957085f17ab6ef06eb81611624dbbc59bb44c6933faa6e1a48de5e9a8fd3ed6ed7b871f58c8d086b
-
SSDEEP
12288:cE10Gk3EFpjUa+LVRsb2UsJ4BhBrZ4PhPNAwI6SKkYcjoYkjIGuD8G1VygfW7Ex:cwUUraVgsJ4B3QAJkkYc0JMGu1vKU
Malware Config
Signatures
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral1/memory/1596-17-0x0000000000400000-0x000000000048E000-memory.dmp m00nd3v_logger behavioral1/memory/1596-21-0x0000000000400000-0x000000000048E000-memory.dmp m00nd3v_logger behavioral1/memory/1596-19-0x0000000000400000-0x000000000048E000-memory.dmp m00nd3v_logger behavioral1/memory/1596-11-0x0000000000400000-0x000000000048E000-memory.dmp m00nd3v_logger behavioral1/memory/1596-8-0x0000000000400000-0x000000000048E000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1596-17-0x0000000000400000-0x000000000048E000-memory.dmp MailPassView behavioral1/memory/1596-21-0x0000000000400000-0x000000000048E000-memory.dmp MailPassView behavioral1/memory/1596-19-0x0000000000400000-0x000000000048E000-memory.dmp MailPassView behavioral1/memory/1596-11-0x0000000000400000-0x000000000048E000-memory.dmp MailPassView behavioral1/memory/1596-8-0x0000000000400000-0x000000000048E000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1596-17-0x0000000000400000-0x000000000048E000-memory.dmp WebBrowserPassView behavioral1/memory/1596-21-0x0000000000400000-0x000000000048E000-memory.dmp WebBrowserPassView behavioral1/memory/1596-19-0x0000000000400000-0x000000000048E000-memory.dmp WebBrowserPassView behavioral1/memory/1596-11-0x0000000000400000-0x000000000048E000-memory.dmp WebBrowserPassView behavioral1/memory/1596-8-0x0000000000400000-0x000000000048E000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral1/memory/1596-17-0x0000000000400000-0x000000000048E000-memory.dmp Nirsoft behavioral1/memory/1596-21-0x0000000000400000-0x000000000048E000-memory.dmp Nirsoft behavioral1/memory/1596-19-0x0000000000400000-0x000000000048E000-memory.dmp Nirsoft behavioral1/memory/1596-11-0x0000000000400000-0x000000000048E000-memory.dmp Nirsoft behavioral1/memory/1596-8-0x0000000000400000-0x000000000048E000-memory.dmp Nirsoft -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1872 set thread context of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1872 8875ae2d57289e7589027bd085c7c17a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29 PID 1872 wrote to memory of 1596 1872 8875ae2d57289e7589027bd085c7c17a.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"2⤵PID:1596
-