Overview

overview

10

Static

static

2db9b75490...fd.exe

windows7_x64

10

2db9b75490...fd.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    150s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-06-2022 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe

  • Size

    1.1MB

  • MD5

    6d8acff823a127a4aa930222a8eed23f

  • SHA1

    cc1a08d02a700c58d7b062b20e90cdaf902d538d

  • SHA256

    2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd

  • SHA512

    63cae851b7f1b0713b02ddd3019c09398455deec0c23330249b28854e2c06b13ee2de285c7ac3ffb6b164ec6b967eaad5ded0b2f2b6619e31923b21e74e78c83

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:     smtp
  • Host:
    kalyacourtshotel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    123@bookings
Mutex

1ecdf2b5-cbf1-4b8d-ab2b-c4323d1e4ceb

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:123@bookings _EmailPort:587 _EmailSSL:true _EmailServer:kalyacourtshotel.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1ecdf2b5-cbf1-4b8d-ab2b-c4323d1e4ceb _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 6 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe
    "C:\Users\Admin\AppData\Local\Temp\2db9b75490c61fc03adebf52cdeba1619e0dbe709af6805a3488e13484768cfd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JQzAAaQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4329.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1828
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBA6A.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4329.tmp
    Filesize

    1KB

    MD5

    9af5ee450630182c6b984c911485ef70

    SHA1

    2cab5ffed0cd2b4c9e8adf75ca2b2a8d811414cf

    SHA256

    2472738b40afaa36f0409896d61ad99504fabb97a2156a1e4682314761facbc0

    SHA512

    66f57ee678085c69501569784af93834ceb8f344422cf8e6b935de0ae52653dd187ee1aff3d69a3ee494876c0c75a34b434a84ad245990bf0f2ef82539e5858a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpBA6A.tmp
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • memory/948-72-0x0000000074290000-0x000000007483B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/948-55-0x0000000074290000-0x000000007483B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/948-56-0x0000000074290000-0x000000007483B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/948-54-0x0000000074F21000-0x0000000074F23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1828-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1868-87-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-76-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-86-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-83-0x000000000044472E-mapping.dmp
    Download
  • memory/1868-82-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-80-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-78-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-89-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-73-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-74-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1932-60-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1932-71-0x0000000074290000-0x000000007483B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1932-69-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1932-67-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1932-65-0x000000000048B2FE-mapping.dmp
    Download
  • memory/1932-64-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1932-63-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1932-88-0x0000000074290000-0x000000007483B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1932-62-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1932-59-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

    Download