{
	"id": "8fd3facf-1487-488f-92e7-42731d6a4116",
	"created_at": "2026-04-06T00:17:57.117229Z",
	"updated_at": "2026-04-10T13:12:42.180027Z",
	"deleted_at": null,
	"sha1_hash": "4c75386a5a49b62ce744b041bc3ddb8639041ab2",
	"title": "Deep Dive into the M00nD3V Logger | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4356392,
	"plain_text": "Deep Dive into the M00nD3V Logger | Zscaler Blog\r\nBy Rohit Chaturvedi, Naveen Selvan\r\nPublished: 2020-07-10 · Archived: 2026-04-05 19:59:17 UTC\r\nThreatLabz observed a multifunctional information-stealing trojan named \"M00nD3V Logger'' that is being\r\ndropped by a multistage loader. Due to its multiple stealing features, M00nD3V Logger has gradually gained\r\npopularity on hacking forums. \r\nRecently, Blueliv published a blog discussing the relationship of M00nD3V with the HawkEye stealer, along with\r\ninformation about the bad actor selling M00nD3V. \r\nAside from keystroke logging, the M00nD3V Logger has the ability to steal confidential information, such as\r\nbrowser passwords, FTP client passwords, email client passwords, DynDNS credentials, JDownloader credentials;\r\ncapture Windows keystrokes; and gain access to the webcam and hook the clipboard. In all, it has the ability to\r\nsteal passwords from 42 applications.\r\nM00nD3V Logger is also equipped with other major functionality, including a botkiller, an antivirus killer,\r\ncommunicating over SMTP/FTP/proxy, downloading additional plugins, and the BouncyCastle crypto package.\r\nThese mechanisms makes this logger unique and popular on hacking forums.\r\nFigure 1: An image from the owner account.\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 1 of 15\n\nDelivery mechanism\r\nDuring our research, we found M00nD3V was delivered via spam mail or through a compromised website that\r\ndrops a payload on the victim's machine. One such spam mail claims to be from \"Hyundai Heavy Industries Co.,\r\nLtd\" regarding a bid on a project for Qatargas. The spam mail includes ZIP attachments that contain malicious\r\nexecutables.\r\nFigure 2: Spam mail.\r\nFigure 3: M00nD3V Logger subscription and payment method pages.\r\nIn this blog, we will provide a detailed technical analysis of commercial M00nD3V Logger malware.\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 2 of 15\n\nTechnical analysis\r\ndab9565e03fae2c5c18c9071a713153a - Parent File (.Net)\r\ne9cf47f3b0750dd0ee1ca30ea9861cc9 - Loader (.Net)\r\nbf8801bcd5a196744ccd0f863f84df71 - Final Payload (.Net)\r\nDelivering malware without triggering any suspicious activity while blending into an existing benign Windows\r\nprocess makes detection a bit harder. Here, the M00nD3V malware does one such trick to deliver its payload\r\nwithout getting easily noticed.\r\nFigure 4: The M00nD3V malware register running with RegAsm.exe - Microsoft utility.\r\nFigure 4 shows the post execution of the malware. In case of an allowlisted application, the endpoint antivirus will\r\nnot trigger any malicious activity. Hence, the malware can do its job on the fly without getting caught.\r\nThe malware also runs by elevating its own privileges.\r\nUnpacking routine\r\nThe malware unpacks the encrypted payload using multibyte XOR decryption. While unpacking, the malware also\r\nuses null bytes in the XOR key. Hence, a few bytes are not actually ciphered.\r\nFirst layer decryption\r\nThe hardcoded pass variable \"zvjzpeuCFasb\" is used as a key. When converted to Unicode string, the same pass\r\nvariable is: \"z\\x00v\\x00j\\x00z\\x00p\\x00e\\x00u\\x00C\\x00F\\x00a\\x00s\\x00b\\x00\".  \r\nThe key length is 24 bytes. \r\nFigure 5: First-level decryption using multibyte XOR.\r\nEven though key length is 24, the malware uses only the first 16 bytes to decrypt the resource section of the\r\nencrypted data. The above decryption routine results in a .NET PE file. In this dumped file, there is also a similar\r\nXOR routine to decrypt the data but with a different key to run the final payload.\r\nSecond layer decryption\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 3 of 15\n\nHere, the hardcoded pass variable \"WcqqicsgTUaj\" is used as a key. When converted to Unicode string, the same\r\npas variable is: \"W\\x00c\\x00q\\x00q\\x00i\\x00c\\x00s\\x00g\\x00T\\x00U\\x00a\\x00j\\x00\".\r\nWe have written a Python script to decrypt the encrypted payload, which can be found in Appendix I and\r\nAppendix II.\r\nPayload analysis\r\nStubConfig Class contains the configuration details - some of them are initialized with Base64 values while others\r\nare hardcoded.\r\nFigure 6: StubConfig details.\r\nBefore starting to log user data, the M00nD3V Logger initializes its configuration. The initialization phase\r\nincludes several checks, such as an anti-debugger, a bot killer, an antivirus killer, and more. Figure 7 shows the\r\ninitialization module.\r\nFigure 7: Initialization phase\r\nInitialization details:\r\nDependencyLoader - Downloads the DLL from\r\nm00nd3v[.]com/M00nD3v/Decryption/BouncyCastle[.]Crypto.dll and loads it in memory.\r\nExecutionDelay - Sleeps for 5,000 milliseconds before executing.\r\nSingleInstance - Checks to see if a single instance is running or not by checking for the hardcoded mutex\r\nvalue {99ed2fc7-0fdc-42ef-8b82-78d1c7c554e3} and sets a flag accordingly. If an app is running with the\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 4 of 15\n\nsame mutex, then the loader exits from environment.\r\nDecryptCredential - Uses the Rijndael256 algorithm to decrypt the Stub configuration values [cipher data\r\nis Base64 encoded value and key is hardcoded mutex value] and set them to their respective variables, as\r\nshow in Figure 8.\r\nFigure 8: The decrypt credential. \r\nPersistence - Copies the parent file to AppData directory and begins the startup entry\r\n[SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run].\r\nAntiDebugger - Checks to see if any of the following processes are running: SbieDll.dll, Wireshark,\r\nWinsock Packet Editor. If any are found, the malware terminates.\r\n Figure 9: AntiDebugger checks during the initialization process.\r\nAntivirus killer - Uses Image File Execution Options (IFEO) to interfere with the executables shown in\r\nFigure 10. By modifying the registry entry  [Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image\r\nFile Execution Options\\\\], the malware attaches rundll32.exe as debugger to each of the executables. This\r\nway, it disables all the listed applications to run.\r\nFigure 10: Application list\r\nProcess elevation - As shown in Figure 11, the malware contains a process elevation module, which is\r\nresponsible for elevating the privilege of the malware executable. The malware sets the security identifier\r\ntype as \"WorldSid\" with AceQualifier AccessDenied. It is applicable to the \"Everyone\" group, so if anyone\r\nattempts to kill the process, it won't be allowed to terminate.\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 5 of 15\n\nFigure 11: Process elevation.\r\nBot killer - Scans all running processes and Windows Startup registry entries [ \\\\Run\\\\ and \\\\RunOnce\\\\ ],\r\nthen passes the file location path to module IsFileMalicious() to tag either the process or file as malicious\r\nand delete it accordingly. [Note: In case of a running process, it additionally checks for each process\r\nwindow visibility property. If it is set to false, then it is tagged as malicious.]\r\nFigure 12 shows the checks used inside IsFileMalicious(). Here, ‘fileloc’ is the full path of the file\r\nor process.\r\nFigure 12: Malicious checks of the file.\r\nBefore starting to log the stored credentials and other personal data, it checks whether the malware was previously\r\ninstalled or not on the victim's machine by looking for a specific file name with a combination of Processor Id and\r\nVolume Serial Number in the temp directory. If the file is not present, then it creates and writes Rijndael256\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 6 of 15\n\nencrypted data, which is a combination of the current executable path and the hardcoded\r\nStubConfigEncryptionKey, and then shows a fake message box to fool the victim.\r\nFigure 13: The Rijndael256 key.\r\nThe malware has three kinds of communication methods to send logged data: SMTP, FTP, and proxy. But this stub\r\nis configured to use only and send data over SMTP only.\r\nBefore starting any logging functionality, it checks whether the respective logging functionality variable is set in\r\nthe Stub config entry or not. If the value is not set in config, then it won't execute the \"keystroke functionality\". As\r\nshown in Figure 14, the Stub is configured to execute the keystroke but not the webcam as the webcam value is\r\nnot assigned. \r\nFigure 14: Stub configuration.\r\nThe Stub starts its core stealing functionality by sending full victim machine information, as shown in Figure 15,\r\nto the attacker over SMTP port 587\r\nFigure 15: Basic machine information sent to the attacker.\r\nNetwork communication\r\nVia SMTP\r\nThe malware communicates with the attacker over SMTP using port 587.\r\nThe malware crafts an email with the captured details shown in Figure 16 and sends it to the attacker. The\r\nattackers use \"smtp.privateemail.com\" service to transfer the captured data.\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 7 of 15\n\nFigure 16: Information sent via SMTP.\r\nThe LogTypeName mentioned below is used to tag the data to inform the attacker what module it is running\r\ncurrently. \r\nFigure 17: Log type.\r\nVia FTP\r\nWhile uploading data over FTP, it first converts plain text data to bytes and creates FTP requests by configuring\r\nall the FTP request fields (i.e., ftp_host, credentials, method). The value for all these fields is set from the Stub\r\nconfiguration class. The FTP method used to upload files is \"STOR\".\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 8 of 15\n\nFigure 18: Communication via FTP.\r\nVia proxy \r\nThe malware sets the proxy URL from the config class and uploads the below-mentioned data using the POST\r\nmethod.\r\nFigure 19: Communication via proxy.\r\nThe values encrypted with Rijndael256 where the key is the Proxy Key, which is configured in the Stub config\r\nclass.\r\nEach stealing module runs independently with individual threads, as shown in Figure 20.\r\nFigure 20: The core modules.\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 9 of 15\n\nPassword stealer: M00nD3V Logger has the capability to steal passwords and cookies from all possible browsers\r\nand email clients, as well as FTP clients.\r\nInterestingly, the malware has three separate classes named \"ChromiumProvider\", \"MailProvider\", and\r\n\"MozillaProvider\" as shown in Figure 21. Each provider has a functionality to retrieve and decrypt the password\r\nfor the application that is assigned to that provider.\r\nFigure 21: Provider list.\r\nThe malware first tries to decrypt the password with the data protection APT (DPAPI) library. But if it isn't\r\nsuccessful, then it attempts to decrypt the passwords using \"BouncyCastle\", which the malware downloaded\r\nfrom \"m00nd3v.]com/]M00nD3v/Decryption/BouncyCastle.Crypto.dll\". It includes \"GcmBlockCipher\" and\r\n\"AeadParameters\" classes, whose instances help the malware decrypt the final password.\r\n \r\nFigure 22: The BouncyCastle code. \r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 10 of 15\n\nThe collected passwords are sent to the attacker over SMTP.\r\nFigure 23: The collected passwords sent over SMTP.\r\nWebcam\r\nThe malware has the capability to secretly access the device's webcam and capture the image. The malware copies\r\nthe captured image onto the clipboard, extracts the image from clipboard, then saves it in the temp directory. To\r\nsend stolen images over SMTP, it reads the image path and attaches the .bmp image as an email attachment with\r\na personalize the subject line, such as \"Dear M00nD3v user Please find the attachment of Webcam. Regards\r\nM00nD3v\"\r\nFigure 24: The webcam module.\r\nSimilarly, the other modules named keystrokes, clipboard, and screen sender, execute with individual threads and\r\nsend stolen data to the attacker, then sleep for some period of time before repeating the same stealing process.\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 11 of 15\n\nFigure 24: The Zscaler Cloud Sandbox report for the M00nD3V Logger.\r\nThe following is the advanced threat protection signature released for detecting the malware:\r\nWin32.Backdoor.M00nD3v\r\nMITRE ATT\u0026CK™ tactic and technique mapping\r\nT1503 Credentials from Web Browsers\r\nT1112 Modify Registry\r\nT1060 Persistence\r\nT1057 Process Discovery\r\nT1105 Remote File Copy\r\nT1497 Defense Evasion, Discovery\r\nT1083 File and Directory Discovery\r\nT1089 Disabling Security Tools\r\nT1055 Process Injection\r\nT1548 Abuse Elevation Control Mechanism\r\nT1115 Clipboard Data\r\nT1113 Screen Capture\r\nT1125 Video Capture\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 12 of 15\n\nT1056 Input Capture\r\nT1048 Exfiltration Over Alternative Protocol\r\nT1183 Image File Execution Options Injection\r\nIOCs:\r\ndab9565e03fae2c5c18c9071a713153a - Parent File (.Net)\r\ne9cf47f3b0750dd0ee1ca30ea9861cc9 - Loader (.Net)\r\nbf8801bcd5a196744ccd0f863f84df71  - Final Payload\r\nC\u0026C:\r\nm00nd3v[.]com\r\nAppendix I : \r\nPython Script to decrypt first level decryption:\r\nfile=open('enc.bin','rb')\r\ncont=file.read()\r\nfile.close()\r\nxor_key=\"z\\x00v\\x00j\\x00z\\x00p\\x00e\\x00u\\x00C\\x00\"\r\nfl=''\r\nindex=0\r\nfor i in range(len(cont)):\r\n    fl+=chr(ord(cont[i])^ord(xor_key[index%16]))  #Malware doesn’t use full key\r\n    index+=1\r\nhexval=[]\r\nfor i in fl:\r\n    temp=hex(ord(i))\r\n    temp=temp[2:]\r\n    if len(temp) !=2:\r\n        temp='0'+temp\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 13 of 15\n\nhexval.append(temp)\r\nhexva=(\"\".join(hexval))\r\nimport binascii\r\nbinstr=binascii.unhexlify(hexva)\r\nf=open('fixed','wb')\r\nf.write(binstr)\r\nf.close()\r\nAppendix II : \r\nPython script to decrypt second level decryption:\r\nfile=open('enc2.bin','rb')\r\ncont=file.read()\r\nfile.close()\r\nxor_key=\"W\\x00c\\x00q\\x00q\\x00i\\x00c\\x00s\r\n\\x00g\\x00T\\x00U\\x00a\\x00j\\x00\"\r\nxor_key=xor_key[0:16]\r\nfl=''\r\nindex=0\r\nfor i in range(len(cont)):\r\n    fl+=chr(ord(cont[i])^ord(xor_key[index%16]))   #Malware doesn’t use full key\r\n    index+=1\r\nhexval=[]\r\nfor i in fl:\r\n    temp=hex(ord(i))\r\n    temp=temp[2:]\r\n    if len(temp) !=2:\r\n        temp='0'+temp\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 14 of 15\n\nhexval.append(temp)\r\nhexva=(\"\".join(hexval))\r\nimport binascii\r\nbinstr=binascii.unhexlify(hexva)\r\nf=open('fixed2','wb')\r\nf.write(binstr)\r\nf.close()\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nhttps://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger"
	],
	"report_names": [
		"deep-dive-m00nd3v-logger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c75386a5a49b62ce744b041bc3ddb8639041ab2.pdf",
		"text": "https://archive.orkl.eu/4c75386a5a49b62ce744b041bc3ddb8639041ab2.txt",
		"img": "https://archive.orkl.eu/4c75386a5a49b62ce744b041bc3ddb8639041ab2.jpg"
	}
}