Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
29-06-2020 00:27
Static task
static1
Behavioral task
behavioral1
Sample
payment detailes.exe
Resource
win7
Behavioral task
behavioral2
Sample
payment detailes.exe
Resource
win10v200430
General
-
Target
payment detailes.exe
-
Size
777KB
-
MD5
895eb79d01fa3ea5fe46f8341691244e
-
SHA1
41837184e9aef1d339ecc62cc1923b88d518ddcf
-
SHA256
aed18091e44bb1a45419cd55517018c839a4c3463921c45b87f5ed7620a9a0c2
-
SHA512
ff53844c17974c67c2fc63a3c956429833333ee932b074266052787fbcbda67d915e79a7e1c1df1dec363512c2a1433c7d8ea8f1b455e8b40ad71cd7af788b89
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.bnfurniture.net - Port:
587 - Username:
[email protected] - Password:
BNF!vloc.146
e8d9ca92-733e-4f3e-93ae-f2671efb738d
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:BNF!vloc.146 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bnfurniture.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10080 _MeltFile:false _Mutex:e8d9ca92-733e-4f3e-93ae-f2671efb738d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
payment detailes.exeRegAsm.exedescription pid process target process PID 1448 set thread context of 932 1448 payment detailes.exe RegAsm.exe PID 932 set thread context of 1816 932 RegAsm.exe vbc.exe -
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/932-0-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/932-2-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/932-3-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
payment detailes.exeRegAsm.exedescription pid process target process PID 1448 wrote to memory of 932 1448 payment detailes.exe RegAsm.exe PID 1448 wrote to memory of 932 1448 payment detailes.exe RegAsm.exe PID 1448 wrote to memory of 932 1448 payment detailes.exe RegAsm.exe PID 1448 wrote to memory of 932 1448 payment detailes.exe RegAsm.exe PID 1448 wrote to memory of 932 1448 payment detailes.exe RegAsm.exe PID 1448 wrote to memory of 932 1448 payment detailes.exe RegAsm.exe PID 1448 wrote to memory of 932 1448 payment detailes.exe RegAsm.exe PID 1448 wrote to memory of 932 1448 payment detailes.exe RegAsm.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe PID 932 wrote to memory of 1816 932 RegAsm.exe vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
payment detailes.exepid process 1448 payment detailes.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
vbc.exepid process 1816 vbc.exe -
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment detailes.exe"C:\Users\Admin\AppData\Local\Temp\payment detailes.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816