Overview

overview

10

Static

static

3

1e6ec142ba...d4.exe

windows7-x64

10

1e6ec142ba...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e6ec142ba08c7deafd25bdea76f32d4.exe

  • Size

    1.2MB

  • MD5

    1e6ec142ba08c7deafd25bdea76f32d4

  • SHA1

    6b52334ca53b1c604c5865e2ab49056b870808c5

  • SHA256

    e773f60aeb241f884b4f932d7ddd4e31c87f31781d5bd53d8583b3d54807a449

  • SHA512

    70d7e937546384ecafd26978c486f7626076dc403ee6b78051bf2a4f5cda7a9733abd566face813b93d1a6152494b9b57666bfaecd90122c0dff126116bb4928

  • SSDEEP

    12288:9ObrmTJfbAGG64rJr7MWUXApfe1I3ri7Ta8OFAzRfV/ZH1CFnws3uThJnaSFvpRH:l5NeJnNfe1uri725ID1G3uNMSFxHH/5

Score
10/10
hawkeye_rebornm00nd3v_loggercollectioninfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    PLAYBOY@123
Mutex

0afb590f-6441-4e30-9017-486274a19cc9

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:PLAYBOY@123 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:2880 _MeltFile:false _Mutex:0afb590f-6441-4e30-9017-486274a19cc9 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger payload 1 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e6ec142ba08c7deafd25bdea76f32d4.exe
    "C:\Users\Admin\AppData\Local\Temp\1e6ec142ba08c7deafd25bdea76f32d4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UaoePQDdm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp75E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3920
    • C:\Users\Admin\AppData\Local\Temp\1e6ec142ba08c7deafd25bdea76f32d4.exe
      "C:\Users\Admin\AppData\Local\Temp\1e6ec142ba08c7deafd25bdea76f32d4.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3624
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp35C2.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1e6ec142ba08c7deafd25bdea76f32d4.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp31B9.tmp
    Filesize

    4KB

    MD5

    2cbe8873d9d19e766fd9a1f758da8e74

    SHA1

    544271b8bf2aa7108e9f0f1cf11de5eb2a389f17

    SHA256

    b92f48c215f2d309a748e67787283bb2c61bbce1faf7dcb3b917f57be92b28e2

    SHA512

    4f8842cfc7b97b82e5f105aeb1b838f9f50072d3f9cae7412e09c0f8fb592a40fc6064cd9ef8e67133ec5694590d106d3e3141e2fd0a21c3d32d6340068ca632

    Download Submit

  • memory/2336-37-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2336-40-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2336-39-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3160-17-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

    Download

  • memory/3160-43-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3160-23-0x0000000005C50000-0x0000000005C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-44-0x0000000005C50000-0x0000000005C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-24-0x0000000005C60000-0x0000000005CC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3160-20-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3160-22-0x00000000059B0000-0x0000000005A26000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3624-35-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/3624-34-0x0000000000460000-0x0000000000529000-memory.dmp

    Filesize

    804KB

    Download

  • memory/3624-29-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/3624-28-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/3624-26-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4728-7-0x0000000008540000-0x00000000085DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4728-21-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4728-11-0x000000000AFA0000-0x000000000B05C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/4728-10-0x0000000008840000-0x0000000008910000-memory.dmp

    Filesize

    832KB

    Download

  • memory/4728-9-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4728-8-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4728-1-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4728-6-0x0000000008460000-0x000000000847C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4728-5-0x00000000058E0000-0x00000000058EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4728-4-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4728-3-0x0000000005930000-0x00000000059C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4728-2-0x0000000005EE0000-0x0000000006484000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4728-0-0x0000000000DB0000-0x0000000000EE0000-memory.dmp

    Filesize

    1.2MB

    Download