Overview

overview

10

Static

static

Payment.exe

windows7_x64

10

Payment.exe

windows10_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment.exe

  • Size

    632KB

  • MD5

    93754785d90a7266752db82c7ae5c409

  • SHA1

    1e364df2ed6e173aea29267dcbe35b9ecd035c00

  • SHA256

    18b880e3b13ed9f47ecbb88ffe91ad90f54e8f98fc2813d4d85ec11fe64f6811

  • SHA512

    5fbda59fd92866d1c66261af12c3b3d417857e2ad3472b31be8cc09dd224a38f7546e41d0ce92349e66812a24dd60b11cf2116d834baeea79aae4d23899c7ca0

Score
10/10
hawkeye_rebornm00nd3v_loggerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.5

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    cjmyguy@yandex.com
  • Password:
    @@Io419090@@
Mutex

9d7a8478-3f88-45bf-bc0e-c4ff1adc7062

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:@@Io419090@@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:cjmyguy@yandex.com _EmptyClipboard:true _EmptyKeyStroke:true _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:9d7a8478-3f88-45bf-bc0e-c4ff1adc7062 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 2 IoCs

    Detects M00nD3v Logger payload in memory.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:504
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OSosKfLALDaxiH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FD9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3064
    • C:\Users\Admin\AppData\Local\Temp\Payment.exe
      "{path}"
      2⤵
        PID:2864
      • C:\Users\Admin\AppData\Local\Temp\Payment.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment.exe.log
      MD5

      ef140ef600b2463c9e7dbf064a104046

      SHA1

      c08fd1853877be95575ea2e860dd8cafef31f54c

      SHA256

      ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616

      SHA512

      bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp5FD9.tmp
      MD5

      0e9a16dc1df54986f6d9d6793dfdb47d

      SHA1

      257b280c362592a1b98be8a501db5bf11a3ecbeb

      SHA256

      9a73af7c0d4c4f2256ca241157c27192c178f01ab07aa43d35f3622a4a640177

      SHA512

      b7bdc3acc137c3877e38908d9127a5ff444ee38501e972f3e1d20c89b7045beadd246413ec8351ec785ae728f17757382563492a9c946ba2630ee374fc2fa680

      Download Submit
    • memory/2872-2-0x0000000000400000-0x000000000049C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2872-3-0x0000000000497C3E-mapping.dmp
      Download
    • memory/3064-0-0x0000000000000000-mapping.dmp
      Download