Overview

overview

10

Static

static

f298bfeead...fd.exe

windows7-x64

10

f298bfeead...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2022 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f298bfeead320b32fecc3e5e17b2e5e18c333637ed04a8df4008aad859d89dfd.exe

  • Size

    1.3MB

  • MD5

    c33b87f51e555f1e5317293e4a34049e

  • SHA1

    7ad16a1923c1f0298dee9bd997dbec09087938ed

  • SHA256

    f298bfeead320b32fecc3e5e17b2e5e18c333637ed04a8df4008aad859d89dfd

  • SHA512

    aed563dd5f20ba822497ba2e5cb92b15509b66971a2dc01805c0a1e2b4d3c4590766891f2080bc3a11b96fd5d41204d29795534114d5591ab040082013226409

Score
10/10
hawkeye_rebornm00nd3v_loggeragilenetinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 5 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f298bfeead320b32fecc3e5e17b2e5e18c333637ed04a8df4008aad859d89dfd.exe
    "C:\Users\Admin\AppData\Local\Temp\f298bfeead320b32fecc3e5e17b2e5e18c333637ed04a8df4008aad859d89dfd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\AppData\Local\Temp\f298bfeead320b32fecc3e5e17b2e5e18c333637ed04a8df4008aad859d89dfd.exe
      "C:\Users\Admin\AppData\Local\Temp\f298bfeead320b32fecc3e5e17b2e5e18c333637ed04a8df4008aad859d89dfd.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1744-54-0x00000000003B0000-0x0000000000500000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1744-55-0x0000000000380000-0x00000000003AC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1744-56-0x0000000076091000-0x0000000076093000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1780-57-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1780-59-0x00000000001C0000-0x0000000000250000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1780-60-0x00000000001C0000-0x0000000000250000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1780-64-0x00000000001C0000-0x0000000000250000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1780-67-0x00000000001C0000-0x0000000000250000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1780-68-0x00000000008C0000-0x0000000000936000-memory.dmp

    Filesize

    472KB

    Download