Analysis
-
max time kernel
134s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 02:02
Static task
static1
Behavioral task
behavioral1
Sample
8875ae2d57289e7589027bd085c7c17a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8875ae2d57289e7589027bd085c7c17a.exe
Resource
win10v2004-20240508-en
General
-
Target
8875ae2d57289e7589027bd085c7c17a.exe
-
Size
699KB
-
MD5
8875ae2d57289e7589027bd085c7c17a
-
SHA1
8ef58bda3235b6cac0dce3f977d194c0d33cb694
-
SHA256
71ba0f2207724fdcd6ae946c22683e8208ea2da4ef1d0026f08966eaeaf39d1f
-
SHA512
31a00a7fe10cbb922605289403b90f5bdd35520780742141957085f17ab6ef06eb81611624dbbc59bb44c6933faa6e1a48de5e9a8fd3ed6ed7b871f58c8d086b
-
SSDEEP
12288:cE10Gk3EFpjUa+LVRsb2UsJ4BhBrZ4PhPNAwI6SKkYcjoYkjIGuD8G1VygfW7Ex:cwUUraVgsJ4B3QAJkkYc0JMGu1vKU
Malware Config
Signatures
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/4872-3-0x0000000000400000-0x000000000048E000-memory.dmp m00nd3v_logger behavioral2/memory/4872-5-0x0000000000400000-0x000000000048E000-memory.dmp m00nd3v_logger behavioral2/memory/4872-4-0x0000000000400000-0x000000000048E000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4872-3-0x0000000000400000-0x000000000048E000-memory.dmp MailPassView behavioral2/memory/4872-5-0x0000000000400000-0x000000000048E000-memory.dmp MailPassView behavioral2/memory/4872-4-0x0000000000400000-0x000000000048E000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4872-3-0x0000000000400000-0x000000000048E000-memory.dmp WebBrowserPassView behavioral2/memory/4872-5-0x0000000000400000-0x000000000048E000-memory.dmp WebBrowserPassView behavioral2/memory/4872-4-0x0000000000400000-0x000000000048E000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral2/memory/4872-3-0x0000000000400000-0x000000000048E000-memory.dmp Nirsoft behavioral2/memory/4872-5-0x0000000000400000-0x000000000048E000-memory.dmp Nirsoft behavioral2/memory/4872-4-0x0000000000400000-0x000000000048E000-memory.dmp Nirsoft -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3088 set thread context of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3088 8875ae2d57289e7589027bd085c7c17a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3088 wrote to memory of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88 PID 3088 wrote to memory of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88 PID 3088 wrote to memory of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88 PID 3088 wrote to memory of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88 PID 3088 wrote to memory of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88 PID 3088 wrote to memory of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88 PID 3088 wrote to memory of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88 PID 3088 wrote to memory of 4872 3088 8875ae2d57289e7589027bd085c7c17a.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"C:\Users\Admin\AppData\Local\Temp\8875ae2d57289e7589027bd085c7c17a.exe"2⤵PID:4872
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\8875ae2d57289e7589027bd085c7c17a.exe.log
Filesize400B
MD50a9b4592cd49c3c21f6767c2dabda92f
SHA1f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA5126b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307