payment advise.pdf.exe

General
Target

payment advise.pdf.exe

Filesize

782KB

Completed

26-05-2020 15:43

Score
10 /10
MD5

59cf7c2408af41d05163a6180244cd6f

SHA1

152b19b94444a67b790f0e249a05ab3e4449d3d8

SHA256

a0e92f094e8bc8945550860f46aa822ce8f31506ea643e1b04c33fabf4fe9413

Malware Config

Extracted

Family hawkeye_reborn
Version 10.1.0.0
Credentials

Protocol: smtp

Host: mail.3enaluminyum.com.tr

Port: 587

Username: ihgungor@3enaluminyum.com.tr

Password: 3eN13579?

Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:3eN13579? _EmailPort:587 _EmailSSL:true _EmailServer:mail.3enaluminyum.com.tr _EmailUsername:ihgungor@3enaluminyum.com.tr _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:1278e7d4-dcd9-4a7a-8780-d6f5636aa3de _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures 8

Filter: none

Collection
Credential Access
Defense Evasion
  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of AdjustPrivilegeToken
    payment advise.pdf.exepayment advise.pdf.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1032payment advise.pdf.exe
    Token: SeDebugPrivilege1476payment advise.pdf.exe
  • Suspicious behavior: EnumeratesProcesses
    payment advise.pdf.exevbc.exepayment advise.pdf.exe

    Reported IOCs

    pidprocess
    1032payment advise.pdf.exe
    1032payment advise.pdf.exe
    1032payment advise.pdf.exe
    1032payment advise.pdf.exe
    1032payment advise.pdf.exe
    1032payment advise.pdf.exe
    1276vbc.exe
    1476payment advise.pdf.exe
  • Suspicious use of WriteProcessMemory
    payment advise.pdf.exepayment advise.pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1032 wrote to memory of 10521032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 10521032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 10521032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 10521032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 15121032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 15121032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 15121032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 15121032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 15001032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 15001032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 15001032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 15001032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1032 wrote to memory of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
    PID 1476 wrote to memory of 12761476payment advise.pdf.exevbc.exe
  • Suspicious use of SetThreadContext
    payment advise.pdf.exepayment advise.pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1032 set thread context of 14761032payment advise.pdf.exepayment advise.pdf.exe
    PID 1476 set thread context of 12761476payment advise.pdf.exevbc.exe
  • Suspicious use of SetWindowsHookEx
    payment advise.pdf.exe

    Reported IOCs

    pidprocess
    1476payment advise.pdf.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\payment advise.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\payment advise.pdf.exe"
    Suspicious use of AdjustPrivilegeToken
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    Suspicious use of SetThreadContext
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\payment advise.pdf.exe
      "{path}"
      PID:1052
    • C:\Users\Admin\AppData\Local\Temp\payment advise.pdf.exe
      "{path}"
      PID:1512
    • C:\Users\Admin\AppData\Local\Temp\payment advise.pdf.exe
      "{path}"
      PID:1500
    • C:\Users\Admin\AppData\Local\Temp\payment advise.pdf.exe
      "{path}"
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1476
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1F81.tmp"
        Suspicious behavior: EnumeratesProcesses
        PID:1276
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\tmp1F81.tmp

                    • memory/1276-3-0x0000000000400000-0x0000000000477000-memory.dmp

                    • memory/1276-4-0x0000000000400000-0x0000000000477000-memory.dmp

                    • memory/1476-0-0x0000000000400000-0x00000000004AA000-memory.dmp

                    • memory/1476-1-0x0000000000400000-0x00000000004AA000-memory.dmp

                    • memory/1476-2-0x0000000000400000-0x00000000004AA000-memory.dmp