Analysis
-
max time kernel
161s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 03:03
General
-
Target
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe
-
Size
2.2MB
-
MD5
65d92895ecaec816edad069d799d6bbc
-
SHA1
a31f6ab392db84a748a7dd0b1edf5117f65296ec
-
SHA256
e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade
-
SHA512
f649cd23d3183317cab12223777229be73b6fe128917339ac61867422664b6bba26e4aac9d6c8d3cfca5289e04e766af399e58082e49bf56726dd29a24e1a513
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
*iMTk].!][Yb2
16bf04f9-ae09-4c30-940a-83c545db9bca
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:*iMTk].!][Yb2 _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:16bf04f9-ae09-4c30-940a-83c545db9bca _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
-
Sets service image path in registry 2 TTPs
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe"C:\Users\Admin\AppData\Local\Temp\e93e167c476d50cc64b66408df5349567d3bb99a0530520a0ed4ed5e1e1d3ade.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 3a04e55d6aa780c36e94e8a8ec7e2a0d yiOR4kwYa0WH7DsHuFQ1tQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
40KB