678900.pdf.exe

General
Target

678900.pdf.exe

Filesize

802KB

Completed

26-05-2020 13:20

Score
10 /10
MD5

109964ff67ad854a737b1cd1902a5424

SHA1

afcf13c1f3e3d4e19f20e8449302e429e10c5d7c

SHA256

a5a00f206182c8e732f580b520af49f2b5a33c93676f15e8eadb5d1eba6ed497

Malware Config

Extracted

Family hawkeye_reborn
Version 10.1.0.0
Credentials

Protocol: smtp

Host: mail.3enaluminyum.com.tr

Port: 587

Username: ihgungor@3enaluminyum.com.tr

Password: 3eN13579?

Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:ihgungor@3enaluminyum.com.tr _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures 8

Filter: none

Collection
Credential Access
Defense Evasion
  • Suspicious behavior: EnumeratesProcesses
    678900.pdf.exevbc.exe678900.pdf.exe

    Reported IOCs

    pidprocess
    1492678900.pdf.exe
    1492678900.pdf.exe
    1492678900.pdf.exe
    1336vbc.exe
    1052678900.pdf.exe
  • Suspicious use of WriteProcessMemory
    678900.pdf.exe678900.pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1492 wrote to memory of 10521492678900.pdf.exe678900.pdf.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
    PID 1052 wrote to memory of 13361052678900.pdf.exevbc.exe
  • Suspicious use of SetThreadContext
    678900.pdf.exe678900.pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1492 set thread context of 10521492678900.pdf.exe678900.pdf.exe
    PID 1052 set thread context of 13361052678900.pdf.exevbc.exe
  • Suspicious use of SetWindowsHookEx
    678900.pdf.exe

    Reported IOCs

    pidprocess
    1052678900.pdf.exe
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • Suspicious use of AdjustPrivilegeToken
    678900.pdf.exe678900.pdf.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1492678900.pdf.exe
    Token: SeDebugPrivilege1052678900.pdf.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    PID:1492
    • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of AdjustPrivilegeToken
      PID:1052
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp21B2.tmp"
        Suspicious behavior: EnumeratesProcesses
        PID:1336
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\tmp21B2.tmp

                    • memory/1052-0-0x0000000000400000-0x00000000004AA000-memory.dmp

                    • memory/1052-1-0x0000000000400000-0x00000000004AA000-memory.dmp

                    • memory/1052-2-0x0000000000400000-0x00000000004AA000-memory.dmp

                    • memory/1336-3-0x0000000000400000-0x0000000000477000-memory.dmp

                    • memory/1336-4-0x0000000000400000-0x0000000000477000-memory.dmp