Analysis
-
max time kernel
90s -
max time network
84s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 13:14
Static task
static1
Behavioral task
behavioral1
Sample
Inv0023.exe
Resource
win7
Behavioral task
behavioral2
Sample
Inv0023.exe
Resource
win10
General
-
Target
Inv0023.exe
-
Size
749KB
-
MD5
0c9aa99d322106396b79add77e5e02d5
-
SHA1
8a884053f9a34fc0744f4e52a2a7a6a38392acea
-
SHA256
e989d836254505f803ce7c8c54f288d3823178f1e97e239c80cae30ae25618c7
-
SHA512
5d127ceb87626cea57eb95b1f668d59f58b6fcfabfca723a5e37b40d23df611e12b378b4281b319ef9a1e61376cae3de4cc85e3bea093ade25ad47de650336f3
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.bnfurniture.net - Port:
587 - Username:
[email protected] - Password:
BNF!vloc.146
e8d9ca92-733e-4f3e-93ae-f2671efb738d
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:BNF!vloc.146 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bnfurniture.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10080 _MeltFile:false _Mutex:e8d9ca92-733e-4f3e-93ae-f2671efb738d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 4064 RegAsm.exe -
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/4064-0-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 bot.whatismyipaddress.com -
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exepid process 3604 vbc.exe 3604 vbc.exe 3604 vbc.exe 3604 vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Inv0023.exepid process 3536 Inv0023.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Inv0023.exeRegAsm.exedescription pid process target process PID 3536 set thread context of 4064 3536 Inv0023.exe RegAsm.exe PID 4064 set thread context of 3604 4064 RegAsm.exe vbc.exe PID 4064 set thread context of 3516 4064 RegAsm.exe vbc.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Inv0023.exeRegAsm.exedescription pid process target process PID 3536 wrote to memory of 4064 3536 Inv0023.exe RegAsm.exe PID 3536 wrote to memory of 4064 3536 Inv0023.exe RegAsm.exe PID 3536 wrote to memory of 4064 3536 Inv0023.exe RegAsm.exe PID 3536 wrote to memory of 4064 3536 Inv0023.exe RegAsm.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3604 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe PID 4064 wrote to memory of 3516 4064 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inv0023.exe"C:\Users\Admin\AppData\Local\Temp\Inv0023.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp47B2.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp4FE1.tmp"3⤵PID:3516