Analysis
-
max time kernel
137s -
max time network
16s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-05-2020 14:24
Static task
static1
Behavioral task
behavioral1
Sample
009865.PDF.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
009865.PDF.exe
Resource
win10v200430
General
-
Target
009865.PDF.exe
-
Size
779KB
-
MD5
ae683582bc9e495df07b906e3b94873b
-
SHA1
03105c593dfe693398fbfd27e788bf4ce840977f
-
SHA256
06877846c6e43d02cb0ff3899b0a7cb450c09285c66fe7e63a08d00f4b3580bb
-
SHA512
8d761ff051be1614f9f2fb052cdc5094e2c625f9b694b8451110b4cc6d10bd1bdf4e82c770779d7915a8f3573cb3cbf42fb6b8de56595c6b35f03457873edcc0
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.3enaluminyum.com.tr - Port:
587 - Username:
[email protected] - Password:
3eN13579?
1278e7d4-dcd9-4a7a-8780-d6f5636aa3de
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
009865.PDF.exe009865.PDF.exedescription pid process target process PID 1304 set thread context of 852 1304 009865.PDF.exe 009865.PDF.exe PID 852 set thread context of 800 852 009865.PDF.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exe009865.PDF.exepid process 800 vbc.exe 852 009865.PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
009865.PDF.exepid process 852 009865.PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
009865.PDF.exedescription pid process Token: SeDebugPrivilege 852 009865.PDF.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
009865.PDF.exe009865.PDF.exedescription pid process target process PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 1304 wrote to memory of 852 1304 009865.PDF.exe 009865.PDF.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe PID 852 wrote to memory of 800 852 009865.PDF.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe"C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp13DD.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:800