Overview

overview

10

Static

static

Receipt_01...20.exe

windows7_x64

10

Receipt_01...20.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    24s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    05-02-2022 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Receipt_01000002097_04292020.exe

  • Size

    656KB

  • MD5

    b0663cf3327d48337e5766a947d21417

  • SHA1

    f74d145cf40f6ebc6fe0c5ad6082c3ea86942c98

  • SHA256

    f17b34a25b38f624ce1dc8c5f36cefbf3a989b77714f4c566c085c56f03c8fbb

  • SHA512

    bab2ff206d991f2b8a9f9e4f5d07c1f95fe3aed2eda2bf807d05db3e18ddcb76fef3cc4c0e4a02641848145edba89d81e972f69caeee3b8a7867c2847ea98e83

Score
10/10
hawkeye_rebornm00nd3v_loggerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

  • Protocol:     ftp
  • Host:
    ftp.airbiast.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playboy123#
Mutex

40f2c4d7-d616-43ae-974d-93b4bdc7e04d

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:playboy123# _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.airbiast.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:40f2c4d7-d616-43ae-974d-93b4bdc7e04d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe
    "C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UIPykxfugaVz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8819.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4772
    • C:\Users\Admin\AppData\Local\Temp\Receipt_01000002097_04292020.exe
      "{path}"
      2⤵
        PID:1892

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp8819.tmp
      MD5

      a16292181d69aa397f0e4e6f3c5219f8

      SHA1

      224b3dd94c906f641b3f64ab46f04c74cdb4afeb

      SHA256

      2e7a86b3061fb50945e2c1c41e8ba60ec7304ad973ae5fb7a18fc558313ee87c

      SHA512

      42e2cea4763e24d60bd6e043ab61e8b3a1b04816048a1284c9ac16604452920a708a7bde6c78619c23511ba0e13d42be5b1cb1e75a2e00ff6c49bf21042b0975

      Download Submit

    • memory/1892-138-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2348-130-0x00000000007E0000-0x000000000088A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2348-131-0x00000000057B0000-0x0000000005D54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2348-132-0x00000000052A0000-0x0000000005332000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2348-133-0x0000000005200000-0x00000000057A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2348-134-0x0000000005240000-0x000000000524A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2348-135-0x0000000005510000-0x0000000005576000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2348-136-0x00000000089F0000-0x0000000008A8C000-memory.dmp

      Filesize

      624KB

      Download