Analysis
-
max time kernel
110s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 14:22
Static task
static1
Behavioral task
behavioral1
Sample
8r9tVWwqo5U1Myj.exe
Resource
win7
Behavioral task
behavioral2
Sample
8r9tVWwqo5U1Myj.exe
Resource
win10
General
-
Target
8r9tVWwqo5U1Myj.exe
-
Size
774KB
-
MD5
da562b863edb03d976b5ba170ecb2961
-
SHA1
561696a793ce3ef7f39ca1045a034dd08ec3e7f1
-
SHA256
f98bb09a67afe83ca7b041488f460d2a8b96224d77f21117d5b0076e04706dd4
-
SHA512
41a7a86f71851e0a5ef6244fd33b25108209d6c0477a00b56539a2773ab497dca5c34dda693a8bf77ab3355b48c8096c6eff51be577a468a754cfa87bdbdbfa4
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.prismindia.in - Port:
587 - Username:
[email protected] - Password:
Stencil1@
236e7cc8-2338-48a0-99ee-d911950fa78d
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Stencil1@ _EmailPort:587 _EmailSSL:false _EmailServer:mail.prismindia.in _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10080 _MeltFile:false _Mutex:236e7cc8-2338-48a0-99ee-d911950fa78d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
8r9tVWwqo5U1Myj.exe8r9tVWwqo5U1Myj.exedescription pid process target process PID 980 set thread context of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 1732 set thread context of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 set thread context of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8r9tVWwqo5U1Myj.exedescription pid process Token: SeDebugPrivilege 980 8r9tVWwqo5U1Myj.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
8r9tVWwqo5U1Myj.exevbc.exepid process 980 8r9tVWwqo5U1Myj.exe 3360 vbc.exe 3360 vbc.exe 3360 vbc.exe 3360 vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 bot.whatismyipaddress.com -
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
8r9tVWwqo5U1Myj.exe8r9tVWwqo5U1Myj.exedescription pid process target process PID 980 wrote to memory of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 980 wrote to memory of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 980 wrote to memory of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 980 wrote to memory of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 980 wrote to memory of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 980 wrote to memory of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 980 wrote to memory of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 980 wrote to memory of 1732 980 8r9tVWwqo5U1Myj.exe 8r9tVWwqo5U1Myj.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3360 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe PID 1732 wrote to memory of 3408 1732 8r9tVWwqo5U1Myj.exe vbc.exe -
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/1732-0-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Uses the VBS compiler for execution 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8r9tVWwqo5U1Myj.exe"C:\Users\Admin\AppData\Local\Temp\8r9tVWwqo5U1Myj.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Users\Admin\AppData\Local\Temp\8r9tVWwqo5U1Myj.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAF65.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3360 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB37D.tmp"3⤵PID:3408