Overview

overview

10

Static

static

ae72463f20...93.exe

windows7_x64

10

ae72463f20...93.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    95s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe

  • Size

    594KB

  • MD5

    48140b427e5241a5a806bbb0b925b7d2

  • SHA1

    772d2f450c44f05ac4132d7c9cb8b72e5e54332c

  • SHA256

    ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593

  • SHA512

    ecd026fc3a7aeb5baeabd811c15b279773a4c51457525b72baa1437231d523889596b2b4905c68cbdaedb7045404b878984bf94fee006e1e71435ac7ac8bdcb3

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe
    "C:\Users\Admin\AppData\Local\Temp\ae72463f201a18d30960ea34ec664a5e30f2889fef997bd020eb73f83b0a9593.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w5bhkhzr\w5bhkhzr.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC6F.tmp" "c:\Users\Admin\AppData\Local\Temp\w5bhkhzr\CSC3B0C8139C4E64D1EA38A9A85CA7581D6.TMP"
        3⤵
          PID:3104
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
          PID:4872
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          2⤵
            PID:2624

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESBC6F.tmp
          Filesize

          1KB

          MD5

          d038db34a38f82d6a7e9e22e469c3f8e

          SHA1

          fc1e0524956452ef484087159499352091380d48

          SHA256

          5f1fafe097bfa7909f505b322786d85b64000fb09f2e3807882bc8891e07504a

          SHA512

          740b6691766b0786c0965c544f4625cd7de6174fc84a646732f3d58c58e3fc93e7778232df2242f6a511a4a9dedca6538f02169f04b09e0f3475eb8e00ed9e4e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\w5bhkhzr\w5bhkhzr.dll
          Filesize

          15KB

          MD5

          aad8db1d01f3c787fd7d2330102abd85

          SHA1

          167dbc9001639934754bd0df5b9f757a38b7136d

          SHA256

          0bab020234610ed9236e322bc149bc2f3052c442f184b48a415baea4254bae53

          SHA512

          1af087632dbbcd322215328fae3a674f149f7ca2f43eecc30ea9e468c285327a32fd0e7671016ebdb19600b4d918ef320293d77383f5ac7e379ac732976fb445

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\w5bhkhzr\w5bhkhzr.pdb
          Filesize

          51KB

          MD5

          0b69e6351f63042d91a4d12616369005

          SHA1

          59380cf8b89847c8f4513b9aa66643c5053bafa9

          SHA256

          4a10459f787d80d6d6f0c24644928e1180ef06b9425ad7e681cbf02ca950b2f4

          SHA512

          53a8afc8425ce0f03d1274e6a0b0c3b6bef72ca178120893391b989adc383c9d4f004fb505d180f19e2e2f38aa3358b04d481406b6f510a8f2affd1aeee94a9a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\w5bhkhzr\CSC3B0C8139C4E64D1EA38A9A85CA7581D6.TMP
          Filesize

          1KB

          MD5

          7b4c233196b5f2f2f50a61031777ecdd

          SHA1

          ee120b0f3bc8c40c1e5dd3c8914a704236912f3a

          SHA256

          17f00ac0cac4803b663e06f488e964cf4f8788d92ccee3e22ce41d545d8faae5

          SHA512

          f8dd71a5f0541a6c4695af437ad86ae885a09e1c9e5c713b913cd359d69313dfc52c453c3e52d76acd3bfbb386a9ebb4c7238ada2443a4fc0bf5c3944d647883

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\w5bhkhzr\w5bhkhzr.0.cs
          Filesize

          29KB

          MD5

          b1b4726fefa6a60ae6c9372b54778396

          SHA1

          a2ba26bcd86e61188abe1856a9260c103181b62c

          SHA256

          bb621394d0af84a7bda3e5775694058126f77d9c63e4dcd863a9acb2f57ab2f5

          SHA512

          335a9f42de2e4b1f9465d64cdea3979d3667f88d3b5681a77701d4f2fe41f3c02386f4a66e99d8a94d978fd6260b411c2670c1f4340c9cff9011db89f639509c

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\w5bhkhzr\w5bhkhzr.cmdline
          Filesize

          312B

          MD5

          701451f382625fe0537035a2b1b97366

          SHA1

          635b3ec0052fb08f313104c6696e223b91603b05

          SHA256

          89e0d9bcbfb1e36f91558db2391ac915a3912b3adb5b45811787c3e1b81497e0

          SHA512

          2a18dcc951beb7f1f6ca17bce42f61c3235817ef7aa5d752a977b31db13248446ef52407c06bdd8e96c1b09d3d4f29b2a3358493a9b3608115c96fb284bba220

          Download Submit

        • memory/2624-142-0x0000000000000000-mapping.dmp

          Download

        • memory/2624-143-0x0000000000400000-0x0000000000490000-memory.dmp

          Filesize

          576KB

          Download

        • memory/2624-144-0x0000000075290000-0x0000000075841000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2624-145-0x0000000075290000-0x0000000075841000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2624-146-0x0000000075290000-0x0000000075841000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3104-134-0x0000000000000000-mapping.dmp

          Download

        • memory/4064-131-0x0000000000000000-mapping.dmp

          Download

        • memory/4872-141-0x0000000000000000-mapping.dmp

          Download

        • memory/4940-139-0x0000000004DC0000-0x0000000004E52000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4940-140-0x0000000005580000-0x000000000561C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4940-130-0x00000000003A0000-0x000000000043A000-memory.dmp

          Filesize

          616KB

          Download