Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
02-07-2020 06:55
Static task
static1
Behavioral task
behavioral1
Sample
TT COPY_PDF__.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
TT COPY_PDF__.exe
Resource
win10
General
-
Target
TT COPY_PDF__.exe
-
Size
672KB
-
MD5
e808590b583c8eb67c0e329639011392
-
SHA1
5bfe6fc14474cc72640c3cdbbbe0e8da05270faa
-
SHA256
2f828fc3426d77ff968fa24fd9e62da0b5ca0708d3ca1ff34c0fd022b94d64b7
-
SHA512
bb6f9d6bf7c8706511122474a354059eea3c7301ea4658715b47882ffab1e35485b665f4a56724627043ead39008a1609b8e3aa26698deb1163650f176a17fc6
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.djindustries.net - Port:
587 - Username:
[email protected] - Password:
dj123
7c6f1211-8a47-40f9-9379-74b0ebf28256
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:dj123 _EmailPort:587 _EmailSSL:false _EmailServer:mail.djindustries.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:7c6f1211-8a47-40f9-9379-74b0ebf28256 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
vbc.exeRegSvcs.exepid process 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3100 vbc.exe 3608 RegSvcs.exe 3608 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3608 RegSvcs.exe -
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/3608-2-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 bot.whatismyipaddress.com -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
TT COPY_PDF__.exeRegSvcs.exedescription pid process target process PID 3068 wrote to memory of 3952 3068 TT COPY_PDF__.exe schtasks.exe PID 3068 wrote to memory of 3952 3068 TT COPY_PDF__.exe schtasks.exe PID 3068 wrote to memory of 3952 3068 TT COPY_PDF__.exe schtasks.exe PID 3068 wrote to memory of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3068 wrote to memory of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3068 wrote to memory of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3068 wrote to memory of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3068 wrote to memory of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3068 wrote to memory of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3068 wrote to memory of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3068 wrote to memory of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3100 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe PID 3608 wrote to memory of 3872 3608 RegSvcs.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
TT COPY_PDF__.exeRegSvcs.exedescription pid process target process PID 3068 set thread context of 3608 3068 TT COPY_PDF__.exe RegSvcs.exe PID 3608 set thread context of 3100 3608 RegSvcs.exe vbc.exe PID 3608 set thread context of 3872 3608 RegSvcs.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3608 RegSvcs.exe -
Uses the VBS compiler for execution 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT COPY_PDF__.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY_PDF__.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3068 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wflkICyTszeaG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7644.tmp"2⤵
- Creates scheduled task(s)
PID:3952 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3608 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA2E2.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA6EA.tmp"3⤵PID:3872