Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 13:37
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT.exe
Resource
win7
Behavioral task
behavioral2
Sample
SWIFT.exe
Resource
win10
General
-
Target
SWIFT.exe
-
Size
648KB
-
MD5
c6c27645dfd76ef90d11ef34998282b3
-
SHA1
c604e7794bf7d41d8d67b9c5ec0a0eb32cb6f871
-
SHA256
15d7912a32b51aa783aa0aa7d0098415531f649e441ad9abf15ece3f0baf52ab
-
SHA512
45180e37e75e621d689cc953e9f1c2362a12972079d5230f8203da8d6502ef71bd54afee6db271ecec71d1aa981d1b6e5cf20319400e2ac4e3d4ae32f871270a
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.djindustries.net - Port:
587 - Username:
[email protected] - Password:
dj123
7c6f1211-8a47-40f9-9379-74b0ebf28256
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:dj123 _EmailPort:587 _EmailSSL:false _EmailServer:mail.djindustries.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:7c6f1211-8a47-40f9-9379-74b0ebf28256 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3908 SWIFT.exe Token: SeDebugPrivilege 3760 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
SWIFT.exevbc.exeRegSvcs.exepid process 3908 SWIFT.exe 3908 SWIFT.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 1972 vbc.exe 3760 RegSvcs.exe 3760 RegSvcs.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process target process PID 3908 set thread context of 3760 3908 SWIFT.exe RegSvcs.exe PID 3760 set thread context of 1972 3760 RegSvcs.exe vbc.exe PID 3760 set thread context of 3388 3760 RegSvcs.exe vbc.exe -
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/3760-2-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 bot.whatismyipaddress.com -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process target process PID 3908 wrote to memory of 500 3908 SWIFT.exe schtasks.exe PID 3908 wrote to memory of 500 3908 SWIFT.exe schtasks.exe PID 3908 wrote to memory of 500 3908 SWIFT.exe schtasks.exe PID 3908 wrote to memory of 3804 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3804 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3804 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3760 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3760 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3760 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3760 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3760 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3760 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3760 3908 SWIFT.exe RegSvcs.exe PID 3908 wrote to memory of 3760 3908 SWIFT.exe RegSvcs.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 1972 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe PID 3760 wrote to memory of 3388 3760 RegSvcs.exe vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3760 RegSvcs.exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BCxGUWBDRIbt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp"2⤵
- Creates scheduled task(s)
PID:500 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵PID:3804
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:3760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9EBB.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA2E3.tmp"3⤵PID:3388