Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
25-06-2020 13:26
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT.exe
Resource
win7
Behavioral task
behavioral2
Sample
SWIFT.exe
Resource
win10v200430
General
-
Target
SWIFT.exe
-
Size
867KB
-
MD5
8a0a2bca0b3d798daf56d1e05a6ace87
-
SHA1
c9ed1cb1c822c444626f4252ec07813e08d18286
-
SHA256
1bb034cbd16394a007729ff3099c124f7b39b696b5e1db3d5078def6f8437d82
-
SHA512
58a7ccc1129894a50f52022eb5d97ac2d1b1603b53ed63b1c763996bb47f6bae99565c52570dd7ef5a4846b357d8329ff1af167655e20ad0b1303c020ef66f0e
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.djindustries.net - Port:
587 - Username:
[email protected] - Password:
dj123
7c6f1211-8a47-40f9-9379-74b0ebf28256
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:dj123 _EmailPort:587 _EmailSSL:false _EmailServer:mail.djindustries.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:7c6f1211-8a47-40f9-9379-74b0ebf28256 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process target process PID 3768 wrote to memory of 2532 3768 SWIFT.exe schtasks.exe PID 3768 wrote to memory of 2532 3768 SWIFT.exe schtasks.exe PID 3768 wrote to memory of 2532 3768 SWIFT.exe schtasks.exe PID 3768 wrote to memory of 3012 3768 SWIFT.exe RegSvcs.exe PID 3768 wrote to memory of 3012 3768 SWIFT.exe RegSvcs.exe PID 3768 wrote to memory of 3012 3768 SWIFT.exe RegSvcs.exe PID 3768 wrote to memory of 3012 3768 SWIFT.exe RegSvcs.exe PID 3768 wrote to memory of 3012 3768 SWIFT.exe RegSvcs.exe PID 3768 wrote to memory of 3012 3768 SWIFT.exe RegSvcs.exe PID 3768 wrote to memory of 3012 3768 SWIFT.exe RegSvcs.exe PID 3768 wrote to memory of 3012 3768 SWIFT.exe RegSvcs.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3576 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe PID 3012 wrote to memory of 3572 3012 RegSvcs.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
vbc.exeRegSvcs.exepid process 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3576 vbc.exe 3012 RegSvcs.exe 3012 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3012 RegSvcs.exe -
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/3012-2-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
SWIFT.exeRegSvcs.exedescription pid process target process PID 3768 set thread context of 3012 3768 SWIFT.exe RegSvcs.exe PID 3012 set thread context of 3576 3012 RegSvcs.exe vbc.exe PID 3012 set thread context of 3572 3012 RegSvcs.exe vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3012 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 bot.whatismyipaddress.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3768 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mntgpSEljR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C77.tmp"2⤵
- Creates scheduled task(s)
PID:2532 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBD99.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC5E7.tmp"3⤵PID:3572