Overview

overview

10

Static

static

56daa62d70...03.exe

windows7-x64

10

56daa62d70...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2022 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe

  • Size

    784KB

  • MD5

    54464655fb5ff2c0ef68221ae9d33d03

  • SHA1

    60033388221f7af6b147b800452de5bc4ebd27db

  • SHA256

    56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203

  • SHA512

    108ad5c0b7f8e2f6edce46d1661a1646a38e014c40964d7e2b9c465129a686b15e3ca51bff85f3f067d37b38f610e313e30ca3d569fa502545e727937f1ca220

Score
10/10
hawkeye_rebornm00nd3v_loggerinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:     smtp
  • Host:
    kalyacourtshotel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    123@bookings
Mutex

1ecdf2b5-cbf1-4b8d-ab2b-c4323d1e4ceb

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:123@bookings _EmailPort:587 _EmailSSL:true _EmailServer:kalyacourtshotel.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1ecdf2b5-cbf1-4b8d-ab2b-c4323d1e4ceb _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 6 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe
    "C:\Users\Admin\AppData\Local\Temp\56daa62d701d5461dae9b1a9a9e28a1bfc5ddde875699749ad7096b79b098203.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eGfjPrL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC939.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:988
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFD63.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC939.tmp
    Filesize

    1KB

    MD5

    4117aedf8bbde5de32386b0d4643d726

    SHA1

    04a72a9dd54ad06a2bf55f56dc0b3f10cb0e9c61

    SHA256

    f3a12bd2392f5b443e4090dd4690917e3ee78333fd12c706b1d222e0e1e85b5c

    SHA512

    8ad2a820be477e311b2a54d79656be60e84c83d0c48b8b706dbece97ca7b1b18a255126e9afee8793d22728d8bcf9f2acc518d9b38db28547f72c64eca706e15

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFD63.tmp
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • memory/848-72-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/848-59-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/848-73-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/848-89-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/848-60-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/848-62-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/848-63-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/848-64-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/848-68-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/848-70-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1468-83-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1468-88-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1468-90-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1468-75-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1468-77-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1468-79-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1468-81-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1468-74-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1468-87-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1624-56-0x0000000074C30000-0x00000000751DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-67-0x0000000074C30000-0x00000000751DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-55-0x0000000074C30000-0x00000000751DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download