Malware Analysis Report

2025-01-18 02:41

Sample ID 220205-mdjz4saegj
Target c5350ccf5cc2c3dc25322ec061452fb6617c0ab80eefceedf29fbd5d42fed212
SHA256 c5350ccf5cc2c3dc25322ec061452fb6617c0ab80eefceedf29fbd5d42fed212
Tags
hawkeye_reborn m00nd3v_logger collection keylogger rezer0 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5350ccf5cc2c3dc25322ec061452fb6617c0ab80eefceedf29fbd5d42fed212

Threat Level: Known bad

The file c5350ccf5cc2c3dc25322ec061452fb6617c0ab80eefceedf29fbd5d42fed212 was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn m00nd3v_logger collection keylogger rezer0 spyware stealer trojan

M00nd3v_Logger

HawkEye Reborn

M00nD3v Logger Payload

ReZer0 packer

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_win_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 10:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 10:20

Reported

2022-02-05 10:23

Platform

win7-en-20211208

Max time kernel

67s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 616 set thread context of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe
PID 616 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe

"C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\naityLl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp34A.tmp"

C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/616-53-0x0000000000FF0000-0x00000000010AC000-memory.dmp

memory/616-54-0x0000000076421000-0x0000000076423000-memory.dmp

memory/616-55-0x0000000007240000-0x0000000007241000-memory.dmp

memory/616-56-0x00000000008D0000-0x00000000008D8000-memory.dmp

memory/616-57-0x0000000000450000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp34A.tmp

MD5 612d8e5b7d732cbb511eb015c00d27c0
SHA1 618fc167011e68508cb6300021083adfd54c57ea
SHA256 948255a97b6056dee225b2ef10b0df66b24db9c27c36745a8da02a30a0adcb55
SHA512 5a123d76674c4e8a11d142ec76a8a681cb4c136127e251906974c6f0cc1299c48d6eb4169e600a48ee51052a278912cfa8bc7c1cd3c934d1dd75f1e1d67c9876

memory/1592-59-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1592-60-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1592-61-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1592-62-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1592-63-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1592-64-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1592-65-0x0000000000490000-0x0000000000496000-memory.dmp

memory/1592-67-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 10:20

Reported

2022-02-05 10:23

Platform

win10v2004-en-20220113

Max time kernel

18s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe

"C:\Users\Admin\AppData\Local\Temp\Receipt_010000002097_04292020.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp

Files

memory/2556-133-0x0000000000C00000-0x0000000000CBC000-memory.dmp

memory/2556-134-0x0000000008080000-0x0000000008624000-memory.dmp

memory/2556-135-0x0000000007B70000-0x0000000007C02000-memory.dmp