hawkeye_reborn | 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f

General

Target

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
Size

1.3MB
MD5

5e01622448297de584b36419c58a5cad
SHA1

41666daf497c2997e0c326a22a0d87d2d421e602
SHA256

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f
SHA512

a7cb35c81d272d0218cdfe6ae46484bc993049a19a78275876ef2512107bca738c548779845a7e20f51714e6181ad6181e40382424e01007a66d730265020a44

Score

10^/10

hawkeye_reborn m00nd3v_logger collection infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.parwazexpress.com
Port:
587
Username:
groupemail@parwazexpress.com
Password:
karachi123

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger payload 3 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp.exe	m00nd3v_logger
C:\Users\Admin\AppData\Local\Temp\tmp.exe	m00nd3v_logger
behavioral2/memory/3176-139-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1400-160-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1400-165-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1400-168-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1400-169-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/1252-170-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2440-148-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4716-153-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2440-154-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4716-155-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/4716-158-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView
behavioral2/memory/2440-157-0x0000000000400000-0x000000000045B000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2440-148-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4716-153-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/2440-154-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4716-155-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/4716-158-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1400-160-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/1400-165-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/2440-157-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1400-168-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/1400-169-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/1252-170-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

4508 tmp.exe

pid	process
4508	tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exetmp.exe

description	pid	process	target process
PID 2860 set thread context of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 3176 set thread context of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 4508 set thread context of 4716	4508	tmp.exe	vbc.exe
PID 4508 set thread context of 1400	4508	tmp.exe	vbc.exe
PID 3176 set thread context of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
File created	C:\Windows\assembly\Desktop.ini	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\buyrN\fefu.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\buyrN\fefu.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exevbc.exevbc.exetmp.exe

pid	process
2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
2440	vbc.exe
2440	vbc.exe
4716	vbc.exe
4716	vbc.exe
4716	vbc.exe
2440	vbc.exe
4716	vbc.exe
2440	vbc.exe
4716	vbc.exe
2440	vbc.exe
4716	vbc.exe
2440	vbc.exe
2440	vbc.exe
2440	vbc.exe
4716	vbc.exe
4716	vbc.exe
2440	vbc.exe
2440	vbc.exe
2440	vbc.exe
2440	vbc.exe
4716	vbc.exe
4716	vbc.exe
4716	vbc.exe
4716	vbc.exe
4508	tmp.exe
4508	tmp.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

pid process

3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

pid	process
3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
Token: SeDebugPrivilege	4508	tmp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

pid process

4508 tmp.exe
3176 522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

pid	process
4508	tmp.exe
3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.execmd.exetmp.exe522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe

description	pid	process	target process
PID 2860 wrote to memory of 2652	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	cmd.exe
PID 2860 wrote to memory of 2652	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	cmd.exe
PID 2860 wrote to memory of 2652	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	cmd.exe
PID 2652 wrote to memory of 3632	2652	cmd.exe	reg.exe
PID 2652 wrote to memory of 3632	2652	cmd.exe	reg.exe
PID 2652 wrote to memory of 3632	2652	cmd.exe	reg.exe
PID 2860 wrote to memory of 4508	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	tmp.exe
PID 2860 wrote to memory of 4508	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	tmp.exe
PID 2860 wrote to memory of 4508	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	tmp.exe
PID 2860 wrote to memory of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 2860 wrote to memory of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 2860 wrote to memory of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 2860 wrote to memory of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 2860 wrote to memory of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 2860 wrote to memory of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 2860 wrote to memory of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 2860 wrote to memory of 3176	2860	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 2440	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 4716	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 4508 wrote to memory of 1400	4508	tmp.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe
PID 3176 wrote to memory of 1252	3176	522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
"C:\Users\Admin\AppData\Local\Temp\522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\buyrN\fefu.exe.lnk" /f
3⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp87AF.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8C14.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:1400

C:\Users\Admin\AppData\Local\Temp\522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe
"C:\Users\Admin\AppData\Local\Temp\522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp87AE.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp8C72.tmp"
3⤵
- Accesses Microsoft Outlook accounts
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02d86261-e622-3eac-9180-48fecd231839
Filesize
152B

MD5
8692b01999e1c418ceed010d17e35260

SHA1
a42e6aab98776c1f84a46fbb0b015f57e1ff1ba4

SHA256
c6ea4991a26377817eefd32c541b086b1c2f1be9361362a9b24638b33774c673

SHA512
d4a16c3f04550ea6dc8049fc34699b16afb0cc2033697a622a49429052872ad874d7728da22687a1847dda96453c57b04669fb0e549e50968d56e0a37ae3493d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
552KB

MD5
d2570e352cbfe33f2bad04befa62c5d6

SHA1
b8e952d44cdbf5cf4211ad1602087f3f5e256a0a

SHA256
291cb8705900743c0ca5e9e6dd124319642234aeb31b6cd3c3ac6e5571692ad0

SHA512
bbd883617ce5bd48edba93daab5872be70adb85d2006f712b8e20ebf74954f0b6c50b0a0eecdab0a08b341eb832ab403b35d1aebc8d789dc6235cf5d4ebe7718

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
552KB

MD5
d2570e352cbfe33f2bad04befa62c5d6

SHA1
b8e952d44cdbf5cf4211ad1602087f3f5e256a0a

SHA256
291cb8705900743c0ca5e9e6dd124319642234aeb31b6cd3c3ac6e5571692ad0

SHA512
bbd883617ce5bd48edba93daab5872be70adb85d2006f712b8e20ebf74954f0b6c50b0a0eecdab0a08b341eb832ab403b35d1aebc8d789dc6235cf5d4ebe7718

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87AE.tmp
Filesize
4KB

MD5
a44410c464bc23ac615f732de976447c

SHA1
e13bb8bfa077dd78dda795b3c21750f217ba4d36

SHA256
a1a6fab77bd9c6713b610b41cb025ba806b8fd64fb80b862e1c44ab2277545a6

SHA512
15e8af0f65161d9ffe068f10083bb2aebfa9be89a36ca6816853f05b58dd05ea46c5abd2f306a354b6ce9eeab20f26a900c6cf3233553bacf168dcbefb79e31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87AF.tmp
Filesize
4KB

MD5
a44410c464bc23ac615f732de976447c

SHA1
e13bb8bfa077dd78dda795b3c21750f217ba4d36

SHA256
a1a6fab77bd9c6713b610b41cb025ba806b8fd64fb80b862e1c44ab2277545a6

SHA512
15e8af0f65161d9ffe068f10083bb2aebfa9be89a36ca6816853f05b58dd05ea46c5abd2f306a354b6ce9eeab20f26a900c6cf3233553bacf168dcbefb79e31a

Download Submit
C:\Users\Admin\AppData\Roaming\buyrN\fefu.exe
Filesize
1.3MB

MD5
5e01622448297de584b36419c58a5cad

SHA1
41666daf497c2997e0c326a22a0d87d2d421e602

SHA256
522ec4c87221e3f7047ee0fe3eeee288eab1298a7abf950120294e3a21e23b9f

SHA512
a7cb35c81d272d0218cdfe6ae46484bc993049a19a78275876ef2512107bca738c548779845a7e20f51714e6181ad6181e40382424e01007a66d730265020a44

Download Submit
memory/1252-162-0x0000000000000000-mapping.dmp

Download
memory/1252-170-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1400-165-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1400-168-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1400-159-0x0000000000000000-mapping.dmp

Download
memory/1400-169-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1400-160-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2440-157-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2440-147-0x0000000000000000-mapping.dmp

Download
memory/2440-148-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2440-154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2652-132-0x0000000000000000-mapping.dmp

Download
memory/2860-142-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/2860-131-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/2860-130-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3176-139-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3176-144-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3176-141-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3176-138-0x0000000000000000-mapping.dmp

Download
memory/3632-133-0x0000000000000000-mapping.dmp

Download
memory/4508-143-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/4508-140-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/4508-135-0x0000000000000000-mapping.dmp

Download
memory/4716-158-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4716-155-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4716-153-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4716-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads