Analysis
-
max time kernel
150s -
max time network
60s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 13:37
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT.exe
Resource
win7
Behavioral task
behavioral2
Sample
SWIFT.exe
Resource
win10
General
-
Target
SWIFT.exe
-
Size
648KB
-
MD5
c6c27645dfd76ef90d11ef34998282b3
-
SHA1
c604e7794bf7d41d8d67b9c5ec0a0eb32cb6f871
-
SHA256
15d7912a32b51aa783aa0aa7d0098415531f649e441ad9abf15ece3f0baf52ab
-
SHA512
45180e37e75e621d689cc953e9f1c2362a12972079d5230f8203da8d6502ef71bd54afee6db271ecec71d1aa981d1b6e5cf20319400e2ac4e3d4ae32f871270a
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.djindustries.net - Port:
587 - Username:
[email protected] - Password:
dj123
7c6f1211-8a47-40f9-9379-74b0ebf28256
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:dj123 _EmailPort:587 _EmailSSL:false _EmailServer:mail.djindustries.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:7c6f1211-8a47-40f9-9379-74b0ebf28256 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process target process PID 1492 wrote to memory of 756 1492 SWIFT.exe schtasks.exe PID 1492 wrote to memory of 756 1492 SWIFT.exe schtasks.exe PID 1492 wrote to memory of 756 1492 SWIFT.exe schtasks.exe PID 1492 wrote to memory of 756 1492 SWIFT.exe schtasks.exe PID 1492 wrote to memory of 1036 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1036 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1036 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1036 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1036 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1036 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1036 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1492 wrote to memory of 1512 1492 SWIFT.exe RegSvcs.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1896 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe PID 1512 wrote to memory of 1992 1512 RegSvcs.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SWIFT.exedescription pid process Token: SeDebugPrivilege 1492 SWIFT.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process target process PID 1492 set thread context of 1512 1492 SWIFT.exe RegSvcs.exe PID 1512 set thread context of 1896 1512 RegSvcs.exe vbc.exe PID 1512 set thread context of 1992 1512 RegSvcs.exe vbc.exe -
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1512-2-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1512-4-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1512-5-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SWIFT.exevbc.exepid process 1492 SWIFT.exe 1896 vbc.exe 1896 vbc.exe 1896 vbc.exe 1896 vbc.exe 1896 vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1492 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BCxGUWBDRIbt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85C2.tmp"2⤵
- Creates scheduled task(s)
PID:756 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵PID:1036
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1512 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB376.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA573.tmp"3⤵PID:1992