Overview

overview

10

Static

static

678900.pdf.exe

windows7_x64

10

678900.pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    85s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    26-05-2020 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    678900.pdf.exe

  • Size

    802KB

  • MD5

    109964ff67ad854a737b1cd1902a5424

  • SHA1

    afcf13c1f3e3d4e19f20e8449302e429e10c5d7c

  • SHA256

    a5a00f206182c8e732f580b520af49f2b5a33c93676f15e8eadb5d1eba6ed497

  • SHA512

    501b5bb9825fd116882863688f72f4d1cc03e64d10c8d3706b5870f48415f6b87675e17a4548e3da2e8d820d529ba1ffc806ddd0926fd2ac67b2be46c0b5003a

Score
10/10
keyloggertrojanstealerspywarehawkeye_reborn

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

  • Protocol:     smtp
  • Host:
    mail.3enaluminyum.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    3eN13579?
Mutex

1278e7d4-dcd9-4a7a-8780-d6f5636aa3de

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • Uses the VBS compiler for execution 1 TTPs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
      "{path}"
      2⤵
        PID:1712
      • C:\Users\Admin\AppData\Local\Temp\678900.pdf.exe
        "{path}"
        2⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:1836
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1728.tmp"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3544
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1B3F.tmp"
          3⤵
            PID:4080

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp1728.tmp
        Download Submit

      • memory/1836-0-0x0000000000400000-0x00000000004AA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/3544-1-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/3544-2-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/4080-4-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/4080-5-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download