Analysis
-
max time kernel
85s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:53
General
-
Target
667bd85d957124ab909987434bad3a62.exe
-
Size
814KB
-
MD5
667bd85d957124ab909987434bad3a62
-
SHA1
48f5ff1c43ab6ed28f59dcf9b10d4515922201f2
-
SHA256
7559061a4b412f6249a6dd96889eecac890e2f7a3d1a2ea9bcf611feb26bf7d2
-
SHA512
4ce39e69483fbad186313ab5bd26cc15a068ce8c1785e78a995ba92299c5b191cfde53dc55e1de50318f91fb74a2b800970d5292c249f738531b60a9ecdab2b2
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
alexisborris@yandex.ru - Password:
@Veronica24#
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
alexisborris@yandex.ru - Password:
@Veronica24#
2aaa2ba3-49c8-4136-9d23-df4acf25bce7
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:true _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:@Veronica24# _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.ru _EmailUsername:alexisborris@yandex.ru _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:2aaa2ba3-49c8-4136-9d23-df4acf25bce7 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
-
rezer0 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\667bd85d957124ab909987434bad3a62.exe"C:\Users\Admin\AppData\Local\Temp\667bd85d957124ab909987434bad3a62.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FeJAOhVJyQNy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6075.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\667bd85d957124ab909987434bad3a62.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM wscript.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM wscript.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM cmd.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM cmd.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9001.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9428.tmp"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\667bd85d957124ab909987434bad3a62.exe.logMD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
C:\Users\Admin\AppData\Local\Temp\tmp6075.tmpMD5
f26720beb53bfe0683ae356bcb4f22f1
SHA152ec2f83a739a9b0016224d296f2b374c88f6a55
SHA256f23c4729d0128e3469f46ae59afb1ca854030b70161f95cf1174579324a1e5d9
SHA51296d1d3dca53e69029696dd2f5674430d82593bc63219f8071eb9875271503fee260e620255581e408ea94db410d0469585be970786d974bfa4a8a468d1a3e42b
-
C:\Users\Admin\AppData\Local\Temp\tmp9001.tmpMD5
1e69b6d630e694119f4f8c448a430b60
SHA1b118feca7d85ec706b54279a1dafc71673fe6e54
SHA2562f7eedbe9e3b0a3aa08df4fa2dc27de189484a8da8925cc6056513d744b7c00e
SHA51219924161f75cbbcf7bdf122f3aecb43d813186a6693413ccc15bb2945d48401c8f058edf034cc641cedc97ae5e328d88fabfab1b5f324014b83671b3ebd78822
-
memory/848-35-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/848-34-0x000000000041211A-mapping.dmp
-
memory/848-33-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3180-16-0x000000000048B2FE-mapping.dmp
-
memory/3180-26-0x0000000005FD0000-0x0000000005FD1000-memory.dmpFilesize
4KB
-
memory/3180-15-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/3180-18-0x0000000073CE0000-0x00000000743CE000-memory.dmpFilesize
6.9MB
-
memory/3180-21-0x0000000007810000-0x0000000007882000-memory.dmpFilesize
456KB
-
memory/4064-24-0x0000000000000000-mapping.dmp
-
memory/4088-27-0x0000000000000000-mapping.dmp
-
memory/4168-13-0x0000000000000000-mapping.dmp
-
memory/4336-25-0x0000000000000000-mapping.dmp
-
memory/4440-28-0x0000000000000000-mapping.dmp
-
memory/4464-30-0x000000000044472E-mapping.dmp
-
memory/4464-29-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4464-31-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4700-10-0x00000000079A0000-0x00000000079A1000-memory.dmpFilesize
4KB
-
memory/4700-9-0x0000000007860000-0x00000000078F2000-memory.dmpFilesize
584KB
-
memory/4700-8-0x00000000057E0000-0x00000000057E2000-memory.dmpFilesize
8KB
-
memory/4700-7-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/4700-0-0x0000000073CE0000-0x00000000743CE000-memory.dmpFilesize
6.9MB
-
memory/4700-5-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/4700-4-0x0000000009D60000-0x0000000009D61000-memory.dmpFilesize
4KB
-
memory/4700-3-0x0000000005290000-0x0000000005326000-memory.dmpFilesize
600KB
-
memory/4700-1-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB