Overview

overview

10

Static

static

5420a4b5bd...30.exe

windows7-x64

10

5420a4b5bd...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5420a4b5bde081383f5cd023e5e270fa940f066087b83ada3e290550fd27f330.exe

  • Size

    1.1MB

  • MD5

    17317e485baaee24963ba10b4fbb02de

  • SHA1

    b738ea496f24c0bf920dcd662047880fb880630f

  • SHA256

    5420a4b5bde081383f5cd023e5e270fa940f066087b83ada3e290550fd27f330

  • SHA512

    6b245005c6dfbfaa85f349041bdc42f6d77f5bc0b6c8d81134b3d8049a029aa4b933eb7eb8ff3d0cb015440c1a0c0682e7bd53644f0952ddfc2090f532d99065

Score
10/10
hawkeye_rebornm00nd3v_loggernetwirebotnetcollectioninfostealerkeyloggerratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    wealthyme@yandex.com
  • Password:
    Favor2017$

Extracted

Family

hawkeye_reborn

Attributes
  • fields

  • name

Extracted

Family

netwire

C2

wealthyman.brasilia.me:39560

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    WEALTH

  • keylogger_dir

    %AppData%\music\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • M00nD3v Logger payload 2 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5420a4b5bde081383f5cd023e5e270fa940f066087b83ada3e290550fd27f330.exe
    "C:\Users\Admin\AppData\Local\Temp\5420a4b5bde081383f5cd023e5e270fa940f066087b83ada3e290550fd27f330.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\HKSERVER.exe
      "C:\Users\Admin\AppData\Local\Temp\HKSERVER.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD3EA.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2092
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpDBF9.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HKSERVER.exe
    Filesize

    552KB

    MD5

    79cb789655a53a9844ed4bcc859e7931

    SHA1

    7792b6ab97d927dd6ef1a254dc0dc72b363f99a5

    SHA256

    d93d3b7171120b37fc1e1ce495e6b7000befdd846bd4d27d7aa43d1289405a7f

    SHA512

    c8b0d46c40cb541e87490a48d61044f76190fa5b31db172d8bc1d788050e5b287b824ddcb4f2afb543ffc900947a0a0af9d85579d134d2c584a73a8d97ddd173

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HKSERVER.exe
    Filesize

    552KB

    MD5

    79cb789655a53a9844ed4bcc859e7931

    SHA1

    7792b6ab97d927dd6ef1a254dc0dc72b363f99a5

    SHA256

    d93d3b7171120b37fc1e1ce495e6b7000befdd846bd4d27d7aa43d1289405a7f

    SHA512

    c8b0d46c40cb541e87490a48d61044f76190fa5b31db172d8bc1d788050e5b287b824ddcb4f2afb543ffc900947a0a0af9d85579d134d2c584a73a8d97ddd173

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpD3EA.tmp
    Filesize

    4KB

    MD5

    ae71d1489c720c09cdc02b218976fd51

    SHA1

    1cc6d077c844719c4312b3406886672b83733321

    SHA256

    ef9b00f510578bf81d7e764f3fbf5185c75cb5b4faa8e2d0348679110b6bc854

    SHA512

    fb9676057ae018a95ec744af57ea4dc8f3e4a689328418751cf74509022e05aec5130f4328a7cfbbaa8dd3230e1aa8cc73cb82b1ae1245a26d32d1906290ab45

    Download Submit
  • memory/1444-145-0x00000000777A0000-0x0000000077943000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1444-137-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1444-143-0x0000000075460000-0x00000000755BD000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1444-132-0x00000000777A0000-0x0000000077943000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2092-151-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2092-147-0x0000000000000000-mapping.dmp
    Download
  • memory/2092-148-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2092-150-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2092-152-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2212-154-0x0000000000000000-mapping.dmp
    Download
  • memory/2212-155-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2212-157-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2212-158-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/3720-146-0x0000000073320000-0x00000000738D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3720-144-0x0000000073320000-0x00000000738D1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3720-133-0x0000000000000000-mapping.dmp
    Download