Overview

overview

10

Static

static

5420a4b5bd...30.exe

windows7-x64

10

5420a4b5bd...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2022 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5420a4b5bde081383f5cd023e5e270fa940f066087b83ada3e290550fd27f330.exe

  • Size

    1.1MB

  • MD5

    17317e485baaee24963ba10b4fbb02de

  • SHA1

    b738ea496f24c0bf920dcd662047880fb880630f

  • SHA256

    5420a4b5bde081383f5cd023e5e270fa940f066087b83ada3e290550fd27f330

  • SHA512

    6b245005c6dfbfaa85f349041bdc42f6d77f5bc0b6c8d81134b3d8049a029aa4b933eb7eb8ff3d0cb015440c1a0c0682e7bd53644f0952ddfc2090f532d99065

Score
10/10
hawkeye_rebornm00nd3v_loggernetwirebotnetinfostealerkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Extracted

Family

netwire

C2

wealthyman.brasilia.me:39560

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    WEALTH

  • keylogger_dir

    %AppData%\music\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • M00nD3v Logger payload 3 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5420a4b5bde081383f5cd023e5e270fa940f066087b83ada3e290550fd27f330.exe
    "C:\Users\Admin\AppData\Local\Temp\5420a4b5bde081383f5cd023e5e270fa940f066087b83ada3e290550fd27f330.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Local\Temp\HKSERVER.exe
      "C:\Users\Admin\AppData\Local\Temp\HKSERVER.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC41B.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HKSERVER.exe
    Filesize

    552KB

    MD5

    79cb789655a53a9844ed4bcc859e7931

    SHA1

    7792b6ab97d927dd6ef1a254dc0dc72b363f99a5

    SHA256

    d93d3b7171120b37fc1e1ce495e6b7000befdd846bd4d27d7aa43d1289405a7f

    SHA512

    c8b0d46c40cb541e87490a48d61044f76190fa5b31db172d8bc1d788050e5b287b824ddcb4f2afb543ffc900947a0a0af9d85579d134d2c584a73a8d97ddd173

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HKSERVER.exe
    Filesize

    552KB

    MD5

    79cb789655a53a9844ed4bcc859e7931

    SHA1

    7792b6ab97d927dd6ef1a254dc0dc72b363f99a5

    SHA256

    d93d3b7171120b37fc1e1ce495e6b7000befdd846bd4d27d7aa43d1289405a7f

    SHA512

    c8b0d46c40cb541e87490a48d61044f76190fa5b31db172d8bc1d788050e5b287b824ddcb4f2afb543ffc900947a0a0af9d85579d134d2c584a73a8d97ddd173

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC41B.tmp
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • \Users\Admin\AppData\Local\Temp\HKSERVER.exe
    Filesize

    552KB

    MD5

    79cb789655a53a9844ed4bcc859e7931

    SHA1

    7792b6ab97d927dd6ef1a254dc0dc72b363f99a5

    SHA256

    d93d3b7171120b37fc1e1ce495e6b7000befdd846bd4d27d7aa43d1289405a7f

    SHA512

    c8b0d46c40cb541e87490a48d61044f76190fa5b31db172d8bc1d788050e5b287b824ddcb4f2afb543ffc900947a0a0af9d85579d134d2c584a73a8d97ddd173

    Download Submit
  • memory/1540-73-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1540-86-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1540-88-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1540-87-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1540-83-0x000000000044472E-mapping.dmp
    Download
  • memory/1540-82-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1540-80-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1540-74-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1540-76-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1540-78-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1644-56-0x0000000075D41000-0x0000000075D43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1644-69-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1644-63-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1644-57-0x0000000077BF0000-0x0000000077D70000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2036-72-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2036-71-0x0000000074880000-0x0000000074E2B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2036-59-0x0000000000000000-mapping.dmp
    Download