Analysis
-
max time kernel
115s -
max time network
115s -
platform
windows10_x64 -
resource
win10 -
submitted
05-07-2020 07:31
Static task
static1
Behavioral task
behavioral1
Sample
(ITBD)..exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
(ITBD)..exe
Resource
win10
General
-
Target
(ITBD)..exe
-
Size
638KB
-
MD5
61b91b3bb375436570df81e5d981e823
-
SHA1
9c4124467c4308afe1b79782f447ffc7d40cb50b
-
SHA256
3c0f1342da1381efcb02db88a6f0c2c5da6006288915b146684e5de5e4bd7a8b
-
SHA512
54f5e78631bcf5cb747889bb9044a8745e590aade7123526d50c6a591204442c1c282bfa51ef62fc0dc22aaf71c2719b8cc38f9505d5b9bfba7282922802aff9
Malware Config
Extracted
hawkeye_reborn
10.0.0.1
Protocol: smtp- Host:
mail.eagleeyeapparels.com - Port:
587 - Username:
[email protected] - Password:
eagle*qaz
f98d37f4-ca90-4ed7-9f6f-6121c4014605
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f98d37f4-ca90-4ed7-9f6f-6121c4014605 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
(ITBD)..exepid process 3580 (ITBD)..exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
(ITBD)..exe(ITBD)..exedescription pid process target process PID 3908 wrote to memory of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3908 wrote to memory of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3908 wrote to memory of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3908 wrote to memory of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3908 wrote to memory of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3908 wrote to memory of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3908 wrote to memory of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3908 wrote to memory of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3160 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe PID 3580 wrote to memory of 3004 3580 (ITBD)..exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
(ITBD)..exe(ITBD)..exedescription pid process target process PID 3908 set thread context of 3580 3908 (ITBD)..exe (ITBD)..exe PID 3580 set thread context of 3160 3580 (ITBD)..exe vbc.exe PID 3580 set thread context of 3004 3580 (ITBD)..exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
(ITBD)..exedescription pid process Token: SeDebugPrivilege 3580 (ITBD)..exe -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
vbc.exe(ITBD)..exepid process 3160 vbc.exe 3160 vbc.exe 3160 vbc.exe 3160 vbc.exe 3580 (ITBD)..exe 3580 (ITBD)..exe -
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/3580-0-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 bot.whatismyipaddress.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\(ITBD)..exe"C:\Users\Admin\AppData\Local\Temp\(ITBD)..exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\(ITBD)..exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpACF4.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB11C.tmp"3⤵PID:3004