m00nd3v_logger | 329e6260889146a492fa6b82bde020f3db2101702ce4eca13974c09275158585 | Triage

Submit
Reports

Overview

overview

Static

static

3

PO 10884-01.exe

windows7-x64

PO 10884-01.exe

windows10-2004-x64

Sharing

General

Target

bbaa9a2b954b43dc76eddb3eb39f52a9_JaffaCakes118
Size

718KB
Sample

240618-ngpkfavhpk
MD5

bbaa9a2b954b43dc76eddb3eb39f52a9
SHA1

fde0d2aeae2b838f46ea9e27e8b22a57bb31ed78
SHA256

329e6260889146a492fa6b82bde020f3db2101702ce4eca13974c09275158585
SHA512

d620a4ce3515ef6740105edf1432aa8ef2866665fab67eefb1f29354dcd86e9d2c19c8580075e241a4a60717883c9f69876706d03982d1f41155fa203e990ee6
SSDEEP

12288:CiH2xH7EwHbH0ZWCzSUBSk/ieFDUf3hrj7TEEb/QCUZtYsQjXMGhSawSoMpwq1Fb:CPxAGbH0ZWg1fqeFoPh7jh4tY8OJwSoO

Score

10^/10

m00nd3v_logger collection infostealer persistence spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

PO 10884-01.exe

Resource

win7-20240419-en

m00nd3v_logger collection infostealer persistence spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

PO 10884-01.exe

Resource

win10v2004-20240508-en

m00nd3v_logger collection infostealer persistence spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  PO 10884-01.exe
- Size
  
  763KB
- MD5
  
  6c69ff3ad392bfc6921775dfaee888c9
- SHA1
  
  a316d28e4f9bc679c536a98b8386a8d9b828242e
- SHA256
  
  861b31169b4ee1cd46f2cf7da3483f91974c10259592253ed54aa7cf58b50b1b
- SHA512
  
  b2b6e8a527d3a483331005975d171c21097d3f0ed337f1e5d19cad35d884c0f824e026cbc0ca6c6ca6cb750b9b5d968abaa3b3238a7beadee2b5db753058b356
- SSDEEP
  
  12288:bzYlyMqL0jp2ANybNrL0UTfC7V9J+kHl4VqhzyC5wXZ1YMJXaoy6I8GrMjr1e:HMjEANybNrYUT6p9x43ZuMJXaCI8GrMF
Score

10^/10

m00nd3v_logger collection infostealer persistence spyware stealer
- M00nd3v_Logger
  M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
  stealer spyware m00nd3v_logger
- M00nD3v Logger payload
  Detects M00nD3v Logger payload in memory.
  infostealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

m00nd3v_loggercollectioninfostealerpersistencespywarestealer

behavioral2

m00nd3v_loggercollectioninfostealerpersistencespywarestealer

© 2018-2024

Terms | Privacy