MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1136fada0e7737d8ea5304cb8e85550cf1ca35e2b64bfa6e000b07d5c428f7d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


M00nD3v


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1136fada0e7737d8ea5304cb8e85550cf1ca35e2b64bfa6e000b07d5c428f7d7
SHA3-384 hash: 6e761127d1a2dd35620090d883606b18925dbc414d41dce769f019645e279e0a034bd7021273275a036050e7a1c83de3
SHA1 hash: c02248caa827d496219fb9a096a612cb9e5ac41d
MD5 hash: 9472287f8d3ce5d09ed8adf54230b98e
humanhash: monkey-ceiling-maryland-beryllium
File name:PROJECT-0039382.exe
Download: download sample
Signature M00nD3v
Create hunting rule
File size:371'712 bytes
First seen:2020-05-25 12:56:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:3xy6tusYbm+lTMtYBAGIuzRISX53ARWtpq3HeF9JiWq4Tz2fwczjeM6D4X54vyhx:3xUs45HiINAREyeFfiWq4OfwYjH6D4cu
Threatray 427 similar samples on MalwareBazaar
TLSH 5084024123F85BAFE17F53F615A268005BB5B22B362AE30D4ED915DF19E6F980A00F53
Reporter abuse_ch
Tags:exe M00nD3v


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ebro.at
Sending IP: 37.49.230.192
From: Herbert RUMPLER <H.Rumpler@ebro.at>
Reply-To: herbert@beccltd.com
Subject: INQUIRY - our project-no. 63998
Attachment: PROJECT-0039382.rar (contains "PROJECT-0039382.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.49554.18417.17538.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 13:36:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
0a375c52851b79c5d3be0d18025940bee5f68501c8e18334264f116775e57fa7
M00nD3v
0b0843fec59e2e7c90b04d88f9d90f7e6a3c8e7511a601d20ba588a52380781b
M00nD3v
3a2adcac20af82cdb882ab9bd9a1a78ca30f833a488cd13a55daf8ff743271a3
M00nD3v
400ad786bf1e76812b70a3ab4ba345668fe07c176743f412f6ff5372238c2320
M00nD3v
538a207974969d50055870c016eb819c2a71a1388db863bf025ea5bc2144b00b
M00nD3v
a4b07204b33173093041072e00e88d0083c88b88f634561aabe46ec8992f9332
M00nD3v
c0a5e2237ef1901c7a3ee2c15290c8db625a1cb9659e99a86ee474460533aa32
M00nD3v
c51d3c8be3936b476ac729e5ddc15eb4dcd5dea18dbcf8200f0767b33ab0b076
M00nD3v
c730e6287aa786e04d22daa4e6c77b504cdf80dc4f09877a15bc79bac84403f6
M00nD3v
f9aa404e6b892570fa59a968eb1e6f2069cb6e6105632e323ae91d7c8005fe57
M00nD3v
+ 417 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:m00nd3v_logger coreentity rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-nch2pfmp2x/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
rezer0
CoreEntity .NET Packer
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_NK_BabyShark_KimJoingRAT_Apr19_1
Create hunting rule
Author:Florian Roth
Description:Detects BabyShark KimJongRAT
Reference:https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_m00nd3v_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects the M00nD3v keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

M00nD3v

rar bb37f3f6290e9e1d40e57b8f8f3088a000ff399564f13ec8709c68efc23120f8

M00nD3v

Executable exe 1136fada0e7737d8ea5304cb8e85550cf1ca35e2b64bfa6e000b07d5c428f7d7

(this sample)

  
Dropped by
MD5 10691fb5f63e41aeae17385bfa29ca03
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bb37f3f6290e9e1d40e57b8f8f3088a000ff399564f13ec8709c68efc23120f8

Comments