Analysis
-
max time kernel
184s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 07:54
General
-
Target
269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe
-
Size
911KB
-
MD5
51667a5b1127b0a1b4ef6c2746a62c26
-
SHA1
a47db208970a0ea9edec216e7dfc7ea372e8a2a9
-
SHA256
269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177
-
SHA512
107ce8c918ea9eddd0c51811028d630041b6e0bc8f23606524efbfa1a1c38f0cfea38f6dbabad0d7b22086c672314e00c6f5d3575ec73c1504c94eb8a634f439
Malware Config
Extracted
hawkeye_reborn
9.0.0.5
Protocol: smtp- Host:
mail.firstmetalcorp.ml - Port:
25 - Username:
test@firstmetalcorp.ml - Password:
chinonsonkechi22#
71edc002-be96-423f-a992-741c9f579010
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:chinonsonkechi22# _EmailPort:25 _EmailSSL:false _EmailServer:mail.firstmetalcorp.ml _EmailUsername:test@firstmetalcorp.ml _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:true _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:71edc002-be96-423f-a992-741c9f579010 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:9.0.0.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.0.5, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe"C:\Users\Admin\AppData\Local\Temp\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe"C:\Users\Admin\AppData\Local\Temp\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\269c8e68714341adc766fe09f2c311013461504ea4845b447c2350f16f776177.exe.logFilesize
706B
MD50110f3d722cddd9753644c78a308ff57
SHA1c461bb3812ae8a3c77d0ec99850b3a88eda2ccc7
SHA25603c3a90b4c2615ddd7bc4b663ba3cce4969223c0a21c53624c6f792ffde91de4
SHA5128a581416a1a9e355e6cda1d4f2a93df807421ec2706c717c5d5d2acd004af2c14ee77d94c48e6643320dd2cd2e1072b9cfd8ecf37c0e8fb38df7d9f0c40cdf63
-
memory/2232-130-0x0000000000740000-0x000000000082A000-memory.dmpFilesize
936KB
-
memory/2232-131-0x00000000051E0000-0x0000000005272000-memory.dmpFilesize
584KB
-
memory/2232-132-0x0000000005830000-0x0000000005DD4000-memory.dmpFilesize
5.6MB
-
memory/2232-133-0x00000000066D0000-0x000000000676C000-memory.dmpFilesize
624KB
-
memory/3864-134-0x0000000000000000-mapping.dmp
-
memory/3864-137-0x0000000000510000-0x00000000005A0000-memory.dmpFilesize
576KB
-
memory/3864-138-0x0000000004C50000-0x0000000004CB6000-memory.dmpFilesize
408KB