Resubmissions
03-06-2020 12:03
200603-9912c6qzfj 1027-05-2020 16:08
200527-ebn7m547vs 1008-05-2020 16:03
200508-9x7fd97kre 10Analysis
-
max time kernel
126s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
03-06-2020 12:03
Static task
static1
Behavioral task
behavioral1
Sample
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Resource
win10v200430
General
-
Target
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
-
Size
781KB
-
MD5
f31581564b5bbc14d3c862c2be157a52
-
SHA1
64e62fe3198a16cb205acd31400af967ad3dd347
-
SHA256
7c0f66eed3a2fc7c90ab5db03483aada693894a77a1480e22521ccf422a08ba3
-
SHA512
ded28a91894313cbdd5678ec191c1e138d524ce3785ca96a255b2bc09cf5f18b8d287a48cf6b754d658f5ab70d95f933899208dc54c21f6b113a0e87200f3f1a
Malware Config
Extracted
hawkeye_reborn
10.0.0.1
Protocol: smtp- Host:
mail.eagleeyeapparels.com - Port:
587 - Username:
[email protected] - Password:
eagle*qaz
f98d37f4-ca90-4ed7-9f6f-6121c4014605
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f98d37f4-ca90-4ed7-9f6f-6121c4014605 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exepid process 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe 64 vbc.exe 64 vbc.exe 64 vbc.exe 64 vbc.exe 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exedescription pid process target process PID 1628 wrote to memory of 2040 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 2040 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 2040 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1628 wrote to memory of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 wrote to memory of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exepid process 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exedescription pid process Token: SeDebugPrivilege 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe Token: SeDebugPrivilege 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exedescription pid process target process PID 1628 set thread context of 1568 1628 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 1568 set thread context of 64 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe PID 1568 set thread context of 752 1568 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"{path}"2⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1568 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4B47.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:64 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5366.tmp"3⤵PID:752