Overview

overview

10

Static

static

5

DETALLES D...df.exe

windows7_x64

10

DETALLES D...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe

  • Size

    1.9MB

  • MD5

    161b5b19041f9bdbd9a39399b56a89d2

  • SHA1

    9f00d56b968638ba354d4e73831574e325e99a0f

  • SHA256

    1202e3f6949e818eade931f5a9f26e5eeab4fcbb0b7d4259fef0ace107d7218c

  • SHA512

    3ad79a67f95bea6e545e61fa4a2f27fd3978280890c8af7cb99fbe42b6560b9f82008c5c86efa7f56914498c94573486719a23e89938b4cdd4e7331c6c087dd6

Score
10/10
hawkeye_rebornm00nd3v_loggercollectioninfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:     ftp
  • Host:
    ftp.kassohome.com.tr
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    J%jCb2L=!5~E
Mutex

a1754d62-0730-4ad6-8fcc-8e3f7c68284b

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:J%jCb2L=!5~E _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.kassohome.com.tr _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:219000 _MeltFile:false _Mutex:a1754d62-0730-4ad6-8fcc-8e3f7c68284b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE4A8.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4728
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE8C0.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4648

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE4A8.tmp
    Filesize

    4KB

    MD5

    92b3d04dbcf7aa8eabb0096c55624068

    SHA1

    04a3b14a8f16bdd8a67f1b5d6be8c3db79c766c7

    SHA256

    84e388e2bbff6a229d99df8d7e0558e46e793106c2f3bb290c6acc06fe31fe9c

    SHA512

    fbd6a298b66e2117f68028cdf9fa1b3e441f87fa8a052ce1be628ae65116d5b2953cdc8117dce57e86475a75412b1a85f431eb0da6dd788ec5312d34ff71f9d1

    Download Submit

  • memory/3420-137-0x0000000004760000-0x0000000004875000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3420-136-0x0000000004640000-0x0000000004755000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4484-138-0x0000000073F90000-0x0000000074541000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4484-131-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/4648-146-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4648-148-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4648-149-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4728-140-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4728-142-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4728-143-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download