PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

General
Target

PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

Filesize

781KB

Completed

03-06-2020 12:06

Score
10/10
MD5

f31581564b5bbc14d3c862c2be157a52

SHA1

64e62fe3198a16cb205acd31400af967ad3dd347

SHA256

7c0f66eed3a2fc7c90ab5db03483aada693894a77a1480e22521ccf422a08ba3

Malware Config

Extracted

Family hawkeye_reborn
Version 10.0.0.1
Credentials

Protocol: smtp

Host: mail.eagleeyeapparels.com

Port: 587

Username: faruq@eagleeyeapparels.com

Password: eagle*qaz
Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:faruq@eagleeyeapparels.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f98d37f4-ca90-4ed7-9f6f-6121c4014605 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null
Signatures 9

Filter: none

Collection
Credential Access
Defense Evasion
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    3bot.whatismyipaddress.com
  • Suspicious behavior: EnumeratesProcesses
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    pidprocess
    1628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    64vbc.exe
    64vbc.exe
    64vbc.exe
    64vbc.exe
    1568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    1568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
  • Suspicious use of WriteProcessMemory
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1628 wrote to memory of 20401628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 20401628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 20401628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1628 wrote to memory of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 wrote to memory of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
  • Suspicious use of SetWindowsHookEx
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    pidprocess
    1568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    Tags

  • Suspicious use of AdjustPrivilegeToken
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    Token: SeDebugPrivilege1568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
  • Suspicious use of SetThreadContext
    PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1628 set thread context of 15681628PO HALLEY PROJECT01X40 CFR 72020.tbz2.exePO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    PID 1568 set thread context of 641568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
    PID 1568 set thread context of 7521568PO HALLEY PROJECT01X40 CFR 72020.tbz2.exevbc.exe
  • Uses the VBS compiler for execution

    TTPs

    Scripting
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
    "C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetThreadContext
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      PID:2040
    • C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
      "{path}"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      Suspicious use of SetWindowsHookEx
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetThreadContext
      PID:1568
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4B47.tmp"
        Suspicious behavior: EnumeratesProcesses
        PID:64
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp5366.tmp"
        PID:752
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe.log

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmp4B47.tmp

                      Download Submit

                    • memory/64-5-0x0000000000400000-0x000000000045C000-memory.dmp

                      Download

                    • memory/64-6-0x0000000000400000-0x000000000045C000-memory.dmp

                      Download

                    • memory/752-9-0x0000000000400000-0x000000000041C000-memory.dmp

                      Download

                    • memory/752-8-0x0000000000400000-0x000000000041C000-memory.dmp

                      Download

                    • memory/1568-3-0x0000000000400000-0x0000000000490000-memory.dmp

                      Download