Analysis
-
max time kernel
150s -
max time network
23s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-07-2020 06:55
Static task
static1
Behavioral task
behavioral1
Sample
TT COPY_PDF__.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
TT COPY_PDF__.exe
Resource
win10
General
-
Target
TT COPY_PDF__.exe
-
Size
672KB
-
MD5
e808590b583c8eb67c0e329639011392
-
SHA1
5bfe6fc14474cc72640c3cdbbbe0e8da05270faa
-
SHA256
2f828fc3426d77ff968fa24fd9e62da0b5ca0708d3ca1ff34c0fd022b94d64b7
-
SHA512
bb6f9d6bf7c8706511122474a354059eea3c7301ea4658715b47882ffab1e35485b665f4a56724627043ead39008a1609b8e3aa26698deb1163650f176a17fc6
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.djindustries.net - Port:
587 - Username:
[email protected] - Password:
dj123
7c6f1211-8a47-40f9-9379-74b0ebf28256
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:dj123 _EmailPort:587 _EmailSSL:false _EmailServer:mail.djindustries.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:7c6f1211-8a47-40f9-9379-74b0ebf28256 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1888-2-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1888-4-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1888-5-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
TT COPY_PDF__.exeRegSvcs.exedescription pid process target process PID 868 set thread context of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 1888 set thread context of 1320 1888 RegSvcs.exe vbc.exe PID 1888 set thread context of 1604 1888 RegSvcs.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exepid process 1320 vbc.exe 1320 vbc.exe 1320 vbc.exe 1320 vbc.exe 1320 vbc.exe -
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
TT COPY_PDF__.exeRegSvcs.exedescription pid process target process PID 868 wrote to memory of 1832 868 TT COPY_PDF__.exe schtasks.exe PID 868 wrote to memory of 1832 868 TT COPY_PDF__.exe schtasks.exe PID 868 wrote to memory of 1832 868 TT COPY_PDF__.exe schtasks.exe PID 868 wrote to memory of 1832 868 TT COPY_PDF__.exe schtasks.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 868 wrote to memory of 1888 868 TT COPY_PDF__.exe RegSvcs.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1320 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe PID 1888 wrote to memory of 1604 1888 RegSvcs.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT COPY_PDF__.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY_PDF__.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wflkICyTszeaG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81EB.tmp"2⤵
- Creates scheduled task(s)
PID:1832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB605.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA802.tmp"3⤵PID:1604