Overview

overview

10

Static

static

ae72463f20...93.exe

windows7_x64

10

ae72463f20...93.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    40s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-06-2022 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe

  • Size

    594KB

  • MD5

    48140b427e5241a5a806bbb0b925b7d2

  • SHA1

    772d2f450c44f05ac4132d7c9cb8b72e5e54332c

  • SHA256

    ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593

  • SHA512

    ecd026fc3a7aeb5baeabd811c15b279773a4c51457525b72baa1437231d523889596b2b4905c68cbdaedb7045404b878984bf94fee006e1e71435ac7ac8bdcb3

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 7 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe
    "C:\Users\Admin\AppData\Local\Temp\ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A79.tmp" "c:\Users\Admin\AppData\Local\Temp\2oqbfva0\CSCE3B4BC1E27704E209B6CD11A1C7F42CC.TMP"
        3⤵
          PID:1808
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
          PID:1812

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.dll
        Filesize

        15KB

        MD5

        c0a6ce39eebccf2bbb39acbfe21c4cad

        SHA1

        6fc251f0c664241032cc90dab182381323a5e9b2

        SHA256

        023069da6bf5c89e8c6b5976e6243008f6d8e86828f5086fc9ca00d8409b46c8

        SHA512

        4d0fc04619cbd7769af4eb521f337a27c9151e3571e93d214ea760fedaef0669de19e975ae5b24215646cc7e7d51284f0f405dc8e6fe93635fb0aeadf49a43d6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.pdb
        Filesize

        51KB

        MD5

        120800b569b1cdb132a248dbff74128d

        SHA1

        30c5d93cfa4ce9ad067d6483f2effe26a2a05824

        SHA256

        a7a267641dbac7733593d1c242039efcbcf8411830b5a0201f8bcc9d7bc191c8

        SHA512

        99a48668f147bd8de6135fffabddb8188fe94ec76766e953192e03746e8493d93fa3b8cab8f03cf7dd7849c854a08c44dcc6c7dfcd29022f4d44884f8624ce4e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES4A79.tmp
        Filesize

        1KB

        MD5

        d0e54f9e4ca6e5cde69e39cae738556d

        SHA1

        5a0de0d82a77aa6d45af314397f4214fc36e0fe6

        SHA256

        8211e83eeffd07583480df8090ad130e666dcca135c561babe5fcdfa6fd18244

        SHA512

        eda927213d3130154f9c6948765f0563277012448369a901176ec3568f49b1c533d5531cf5c16ed0743a93d797016dd697a3b48f3ecfcef67cd77bc5be398802

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.0.cs
        Filesize

        29KB

        MD5

        b1b4726fefa6a60ae6c9372b54778396

        SHA1

        a2ba26bcd86e61188abe1856a9260c103181b62c

        SHA256

        bb621394d0af84a7bda3e5775694058126f77d9c63e4dcd863a9acb2f57ab2f5

        SHA512

        335a9f42de2e4b1f9465d64cdea3979d3667f88d3b5681a77701d4f2fe41f3c02386f4a66e99d8a94d978fd6260b411c2670c1f4340c9cff9011db89f639509c

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\2oqbfva0\2oqbfva0.cmdline
        Filesize

        312B

        MD5

        4eca984360df39f11c33eff375ebe2b8

        SHA1

        df99584662757b014bad29fa2a397bc45f66dd7d

        SHA256

        bbd90668ec8d36f3c063c365e7c71ec6e48d6ce559a80cbd164cb5e7b436045a

        SHA512

        a1fc25a441fa401ad48e75158d99370cfd03cb6aacc012db784bbe4d88a497bac58a671311f5b61bb77853a2c675212450cf2fad5da355fc251b7de368ba2f80

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\2oqbfva0\CSCE3B4BC1E27704E209B6CD11A1C7F42CC.TMP
        Filesize

        1KB

        MD5

        24851a1e81c0b58225a2dbebcc7c0f38

        SHA1

        54c709fd452b077b1431aeaa529ba55afa24f11f

        SHA256

        58e088b7938abf2579013b57506b355b50eacf24ebdc8408173672fcb604131b

        SHA512

        919290dc0aed1c4024d3a54143ae65c9ab818ca97d56a84473ef52c440e507389b861ac8dceca129b4a8bdfbc605f61081bd0f3485c7bac0f019d2287919f3f2

        Download Submit
      • memory/1700-66-0x0000000075841000-0x0000000075843000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1700-63-0x00000000003E0000-0x00000000003EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1700-64-0x0000000004D00000-0x0000000004D9A000-memory.dmp
        Filesize

        616KB

        Download
      • memory/1700-65-0x0000000000420000-0x000000000042C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1700-54-0x0000000000130000-0x00000000001CA000-memory.dmp
        Filesize

        616KB

        Download
      • memory/1700-67-0x0000000004E30000-0x0000000004EC0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1768-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1808-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1812-69-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1812-68-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1812-72-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1812-73-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1812-71-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1812-74-0x000000000048B1CE-mapping.dmp
        Download
      • memory/1812-76-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1812-78-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1812-80-0x0000000074720000-0x0000000074CCB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1812-81-0x0000000074720000-0x0000000074CCB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1812-82-0x0000000074720000-0x0000000074CCB000-memory.dmp
        Filesize

        5.7MB

        Download