678900.pdf.exe

General
Target

678900.pdf.exe

Filesize

802KB

Completed

26-05-2020 13:19

Score
10/10
MD5

109964ff67ad854a737b1cd1902a5424

SHA1

afcf13c1f3e3d4e19f20e8449302e429e10c5d7c

SHA256

a5a00f206182c8e732f580b520af49f2b5a33c93676f15e8eadb5d1eba6ed497

Malware Config

Extracted

Family hawkeye_reborn
Version 10.1.0.0
Credentials

Protocol: smtp

Host: mail.3enaluminyum.com.tr

Port: 587

Username: ihgungor@3enaluminyum.com.tr

Password: 3eN13579?

Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:ihgungor@3enaluminyum.com.tr _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures 9

Filter: none

Collection
Credential Access
Defense Evasion
  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of WriteProcessMemory
    678900.pdf.exe678900.pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1312 wrote to memory of 17121312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 17121312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 17121312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 18361312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 18361312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 18361312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 18361312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 18361312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 18361312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 18361312678900.pdf.exe678900.pdf.exe
    PID 1312 wrote to memory of 18361312678900.pdf.exe678900.pdf.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 35441836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
    PID 1836 wrote to memory of 40801836678900.pdf.exevbc.exe
  • Suspicious use of SetWindowsHookEx
    678900.pdf.exe

    Reported IOCs

    pidprocess
    1836678900.pdf.exe
  • Suspicious use of SetThreadContext
    678900.pdf.exe678900.pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1312 set thread context of 18361312678900.pdf.exe678900.pdf.exe
    PID 1836 set thread context of 35441836678900.pdf.exevbc.exe
    PID 1836 set thread context of 40801836678900.pdf.exevbc.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    5bot.whatismyipaddress.com
  • Suspicious use of AdjustPrivilegeToken
    678900.pdf.exe678900.pdf.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1312678900.pdf.exe
    Token: SeDebugPrivilege1836678900.pdf.exe
  • Suspicious behavior: EnumeratesProcesses
    678900.pdf.exevbc.exe678900.pdf.exe

    Reported IOCs

    pidprocess
    1312678900.pdf.exe
    1312678900.pdf.exe
    1312678900.pdf.exe
    1312678900.pdf.exe
    1312678900.pdf.exe
    1312678900.pdf.exe
    3544vbc.exe
    3544vbc.exe
    3544vbc.exe
    3544vbc.exe
    1836678900.pdf.exe
    1836678900.pdf.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe"
    Suspicious use of WriteProcessMemory
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious behavior: EnumeratesProcesses
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
      "{path}"
      PID:1712
    • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
      "{path}"
      Suspicious use of WriteProcessMemory
      Suspicious use of SetWindowsHookEx
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: EnumeratesProcesses
      PID:1836
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1728.tmp"
        Suspicious behavior: EnumeratesProcesses
        PID:3544
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1B3F.tmp"
        PID:4080
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\tmp1728.tmp

                    • memory/1836-0-0x0000000000400000-0x00000000004AA000-memory.dmp

                    • memory/3544-1-0x0000000000400000-0x0000000000477000-memory.dmp

                    • memory/3544-2-0x0000000000400000-0x0000000000477000-memory.dmp

                    • memory/4080-4-0x0000000000400000-0x0000000000455000-memory.dmp

                    • memory/4080-5-0x0000000000400000-0x0000000000455000-memory.dmp