Analysis
-
max time kernel
17s -
max time network
103s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 19:43
Static task
static1
Behavioral task
behavioral1
Sample
7da4f5e17791a774131c3c97538a2495.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7da4f5e17791a774131c3c97538a2495.exe
Resource
win10v20201028
General
-
Target
7da4f5e17791a774131c3c97538a2495.exe
-
Size
7.1MB
-
MD5
7da4f5e17791a774131c3c97538a2495
-
SHA1
552b4a357b259935a35b06d040d7f2e3205c8e42
-
SHA256
ac8ef770d70da42ea56d5b15fb5db0be89ae9250ac78b2bfd493843a50399a19
-
SHA512
4c0460e29457f9910f5ebb4090fbaf1e29d28e4d2abb5f63dbe83061cdb306e0c545db97662f6a380e438d615ad3b9f43eec8d7b1f9b57eecff63ef45557ce7b
Malware Config
Extracted
hawkeye_reborn
10.1.2.7
Protocol: smtp- Host:
mail.faresmedica.com - Port:
25 - Username:
test@faresmedica.com - Password:
REGINA71@
ae5d6307-0d62-4e92-938b-debeac1db00e
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:REGINA71@ _EmailPort:25 _EmailSSL:false _EmailServer:mail.faresmedica.com _EmailUsername:test@faresmedica.com _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:ae5d6307-0d62-4e92-938b-debeac1db00e _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.7 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.7, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/2000-8-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral2/memory/2000-9-0x0000000000497C3E-mapping.dmp m00nd3v_logger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7da4f5e17791a774131c3c97538a2495.exedescription pid process target process PID 652 set thread context of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7da4f5e17791a774131c3c97538a2495.exedescription pid process target process PID 652 wrote to memory of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 652 wrote to memory of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 652 wrote to memory of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 652 wrote to memory of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 652 wrote to memory of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 652 wrote to memory of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 652 wrote to memory of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe PID 652 wrote to memory of 2000 652 7da4f5e17791a774131c3c97538a2495.exe 7da4f5e17791a774131c3c97538a2495.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7da4f5e17791a774131c3c97538a2495.exe"C:\Users\Admin\AppData\Local\Temp\7da4f5e17791a774131c3c97538a2495.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7da4f5e17791a774131c3c97538a2495.exe"C:\Users\Admin\AppData\Local\Temp\7da4f5e17791a774131c3c97538a2495.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7da4f5e17791a774131c3c97538a2495.exe.logMD5
bca5d9d288a7809c63f2d594cb7c7b94
SHA111689c8a592cd8706f0155b4574488dd872cbd97
SHA256d7a3ed9b26c989e840532a7f0fa21bc508f8fbcb2d37116fade84280f2a865ed
SHA512db30f307e6818573f06f115818476104abfce94f15d9ad11e8163aa3cc19cee4cc3c87c98ef45d5c978b6f166089cc0283e3cc9a5db8359a425c8da7039dae0d
-
memory/652-2-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/652-3-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/652-5-0x0000000002F90000-0x000000000303F000-memory.dmpFilesize
700KB
-
memory/652-6-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/652-7-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/2000-9-0x0000000000497C3E-mapping.dmp
-
memory/2000-11-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/2000-8-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/2000-14-0x0000000001790000-0x00000000017AA000-memory.dmpFilesize
104KB
-
memory/2000-16-0x0000000009DD0000-0x0000000009DD1000-memory.dmpFilesize
4KB
-
memory/2000-18-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/2000-19-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB