Analysis
-
max time kernel
132s -
max time network
85s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-05-2020 14:24
Static task
static1
Behavioral task
behavioral1
Sample
009865.PDF.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
009865.PDF.exe
Resource
win10v200430
General
-
Target
009865.PDF.exe
-
Size
779KB
-
MD5
ae683582bc9e495df07b906e3b94873b
-
SHA1
03105c593dfe693398fbfd27e788bf4ce840977f
-
SHA256
06877846c6e43d02cb0ff3899b0a7cb450c09285c66fe7e63a08d00f4b3580bb
-
SHA512
8d761ff051be1614f9f2fb052cdc5094e2c625f9b694b8451110b4cc6d10bd1bdf4e82c770779d7915a8f3573cb3cbf42fb6b8de56595c6b35f03457873edcc0
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.3enaluminyum.com.tr - Port:
587 - Username:
[email protected] - Password:
3eN13579?
1278e7d4-dcd9-4a7a-8780-d6f5636aa3de
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
009865.PDF.exe009865.PDF.exedescription pid process target process PID 1732 set thread context of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1988 set thread context of 3896 1988 009865.PDF.exe vbc.exe PID 1988 set thread context of 4076 1988 009865.PDF.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
vbc.exe009865.PDF.exepid process 3896 vbc.exe 3896 vbc.exe 3896 vbc.exe 3896 vbc.exe 1988 009865.PDF.exe 1988 009865.PDF.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
009865.PDF.exe009865.PDF.exedescription pid process target process PID 1732 wrote to memory of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1732 wrote to memory of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1732 wrote to memory of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1732 wrote to memory of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1732 wrote to memory of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1732 wrote to memory of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1732 wrote to memory of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1732 wrote to memory of 1988 1732 009865.PDF.exe 009865.PDF.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 3896 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe PID 1988 wrote to memory of 4076 1988 009865.PDF.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
009865.PDF.exedescription pid process Token: SeDebugPrivilege 1988 009865.PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
009865.PDF.exepid process 1988 009865.PDF.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 bot.whatismyipaddress.com -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
Processes
-
C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe"C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\009865.PDF.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1988 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1D13.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2561.tmp"3⤵PID:4076