Analysis
-
max time kernel
172s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 22:39
General
-
Target
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe
-
Size
1.9MB
-
MD5
1e46759bafac1ed3e1e193e921ae7ff4
-
SHA1
87f5e0193fbce5a9b172783bb09084c4408f5dfb
-
SHA256
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788
-
SHA512
cbaa5b31591e480e4b6521c103002c4cd23deebdb238e5369410f35ef6c9fecb94bdbc1069e0d5e1a41e3a7cbbda62a344bfb819788e290f94a47e71d1055c8c
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
fortepakistan.com - Port:
587 - Username:
[email protected] - Password:
k*x9cOZWttEV
624be3da-26b4-41f8-813a-f54aacfa6665
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:k*x9cOZWttEV _EmailPort:587 _EmailSSL:false _EmailServer:fortepakistan.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:624be3da-26b4-41f8-813a-f54aacfa6665 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 10 IoCs
Detects M00nD3v Logger payload in memory.
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 10 IoCs
Password recovery tool for various web browsers
-
Nirsoft 14 IoCs
-
Executes dropped EXE 3 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe"C:\Users\Admin\AppData\Local\Temp\0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA279.tmp"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn winlogons /tr "C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {2E8751FF-BF44-442F-843C-7779215B28CE} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exeC:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp31CB.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD7CB.tmp"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn winlogons /tr "C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exeC:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp926.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn winlogons /tr "C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exeC:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF22C.tmp"4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn winlogons /tr "C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1.9MB
MD5c9d9b94208ecd8a119c06bed4fe2c674
SHA19e80799e0b6fb41d3e3ea41c44a1cd2725198ba3
SHA256e66d5a880d06e064b83b4a816394bf2f569cf12eb718e037beced6ff0e48afda
SHA51227e1a864ca2818cfd88cd8eae88ead2e90903ce976874188b139d8fda1c2bb7c74bc80189f85aeecc0553535d9533fd6e26f76863ed1fa9f808daae7911a2b78
-
Filesize
1.9MB
MD5c9d9b94208ecd8a119c06bed4fe2c674
SHA19e80799e0b6fb41d3e3ea41c44a1cd2725198ba3
SHA256e66d5a880d06e064b83b4a816394bf2f569cf12eb718e037beced6ff0e48afda
SHA51227e1a864ca2818cfd88cd8eae88ead2e90903ce976874188b139d8fda1c2bb7c74bc80189f85aeecc0553535d9533fd6e26f76863ed1fa9f808daae7911a2b78
-
Filesize
1.9MB
MD5c9d9b94208ecd8a119c06bed4fe2c674
SHA19e80799e0b6fb41d3e3ea41c44a1cd2725198ba3
SHA256e66d5a880d06e064b83b4a816394bf2f569cf12eb718e037beced6ff0e48afda
SHA51227e1a864ca2818cfd88cd8eae88ead2e90903ce976874188b139d8fda1c2bb7c74bc80189f85aeecc0553535d9533fd6e26f76863ed1fa9f808daae7911a2b78
-
Filesize
1.9MB
MD5c9d9b94208ecd8a119c06bed4fe2c674
SHA19e80799e0b6fb41d3e3ea41c44a1cd2725198ba3
SHA256e66d5a880d06e064b83b4a816394bf2f569cf12eb718e037beced6ff0e48afda
SHA51227e1a864ca2818cfd88cd8eae88ead2e90903ce976874188b139d8fda1c2bb7c74bc80189f85aeecc0553535d9533fd6e26f76863ed1fa9f808daae7911a2b78
-
-
-
Filesize
112KB
-
-
Filesize
576KB
-
-
Filesize
576KB
-
Filesize
5.7MB
-
Filesize
576KB
-
-
Filesize
112KB
-
-
Filesize
5.7MB
-
-
-
-
-
Filesize
5.7MB
-
-
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
-
Filesize
364KB
-
Filesize
364KB
-
-
Filesize
8KB
-
Filesize
5.7MB
-
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-