Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 19:43
Static task
static1
Behavioral task
behavioral1
Sample
7da4f5e17791a774131c3c97538a2495.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7da4f5e17791a774131c3c97538a2495.exe
Resource
win10v20201028
General
-
Target
7da4f5e17791a774131c3c97538a2495.exe
-
Size
7.1MB
-
MD5
7da4f5e17791a774131c3c97538a2495
-
SHA1
552b4a357b259935a35b06d040d7f2e3205c8e42
-
SHA256
ac8ef770d70da42ea56d5b15fb5db0be89ae9250ac78b2bfd493843a50399a19
-
SHA512
4c0460e29457f9910f5ebb4090fbaf1e29d28e4d2abb5f63dbe83061cdb306e0c545db97662f6a380e438d615ad3b9f43eec8d7b1f9b57eecff63ef45557ce7b
Malware Config
Extracted
hawkeye_reborn
10.1.2.7
Protocol: smtp- Host:
mail.faresmedica.com - Port:
25 - Username:
test@faresmedica.com - Password:
REGINA71@
ae5d6307-0d62-4e92-938b-debeac1db00e
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:REGINA71@ _EmailPort:25 _EmailSSL:false _EmailServer:mail.faresmedica.com _EmailUsername:test@faresmedica.com _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:ae5d6307-0d62-4e92-938b-debeac1db00e _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.7 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.7, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 4 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1744-7-0x0000000000497C3E-mapping.dmp m00nd3v_logger behavioral1/memory/1744-6-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral1/memory/1744-9-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral1/memory/1744-8-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7da4f5e17791a774131c3c97538a2495.exedescription pid process target process PID 1628 set thread context of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7da4f5e17791a774131c3c97538a2495.exedescription pid process target process PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 1628 wrote to memory of 1744 1628 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7da4f5e17791a774131c3c97538a2495.exe"C:\Users\Admin\AppData\Local\Temp\7da4f5e17791a774131c3c97538a2495.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7da4f5e17791a774131c3c97538a2495.exe"C:\Users\Admin\AppData\Local\Temp\7da4f5e17791a774131c3c97538a2495.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1628-2-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/1628-3-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1628-5-0x0000000000A70000-0x0000000000B1F000-memory.dmpFilesize
700KB
-
memory/1744-7-0x0000000000497C3E-mapping.dmp
-
memory/1744-6-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/1744-9-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/1744-8-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/1744-10-0x00000000743D0000-0x0000000074ABE000-memory.dmpFilesize
6.9MB
-
memory/1744-13-0x0000000000260000-0x000000000027A000-memory.dmpFilesize
104KB