Analysis
-
max time kernel
151s -
max time network
61s -
platform
windows7_x64 -
resource
win7 -
submitted
25-06-2020 13:26
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT.exe
Resource
win7
Behavioral task
behavioral2
Sample
SWIFT.exe
Resource
win10v200430
General
-
Target
SWIFT.exe
-
Size
867KB
-
MD5
8a0a2bca0b3d798daf56d1e05a6ace87
-
SHA1
c9ed1cb1c822c444626f4252ec07813e08d18286
-
SHA256
1bb034cbd16394a007729ff3099c124f7b39b696b5e1db3d5078def6f8437d82
-
SHA512
58a7ccc1129894a50f52022eb5d97ac2d1b1603b53ed63b1c763996bb47f6bae99565c52570dd7ef5a4846b357d8329ff1af167655e20ad0b1303c020ef66f0e
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.djindustries.net - Port:
587 - Username:
[email protected] - Password:
dj123
7c6f1211-8a47-40f9-9379-74b0ebf28256
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:dj123 _EmailPort:587 _EmailSSL:false _EmailServer:mail.djindustries.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:7c6f1211-8a47-40f9-9379-74b0ebf28256 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exepid process 1928 vbc.exe 1928 vbc.exe 1928 vbc.exe 1928 vbc.exe 1928 vbc.exe -
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1236-2-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1236-4-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1236-5-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process target process PID 1196 wrote to memory of 1832 1196 SWIFT.exe schtasks.exe PID 1196 wrote to memory of 1832 1196 SWIFT.exe schtasks.exe PID 1196 wrote to memory of 1832 1196 SWIFT.exe schtasks.exe PID 1196 wrote to memory of 1832 1196 SWIFT.exe schtasks.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1196 wrote to memory of 1236 1196 SWIFT.exe RegSvcs.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1928 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe PID 1236 wrote to memory of 1976 1236 RegSvcs.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process target process PID 1196 set thread context of 1236 1196 SWIFT.exe RegSvcs.exe PID 1236 set thread context of 1928 1236 RegSvcs.exe vbc.exe PID 1236 set thread context of 1976 1236 RegSvcs.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1196 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mntgpSEljR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8B0.tmp"2⤵
- Creates scheduled task(s)
PID:1832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp26F0.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp18CE.tmp"3⤵PID:1976