Analysis
-
max time kernel
22s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:04
Static task
static1
Behavioral task
behavioral1
Sample
AjovBsK6skyH9YF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
AjovBsK6skyH9YF.exe
Resource
win10v20201028
General
-
Target
AjovBsK6skyH9YF.exe
-
Size
678KB
-
MD5
27f2b3826d5a67edd9723735f56a4618
-
SHA1
5658651dd0048f9ee597326670f5a3f934862f6c
-
SHA256
e83be3e4db904d9f9896cd039170dc3fba0f316b6be60affea209aae96da71b8
-
SHA512
d60931eb34c346388cd3fbc600beee4af3d1a084f2b4d9d9e117ec33d41863550edabd2bcab295c08ab50efb55ba66f02bc5e16e0b471b9f797c0aaa434326f4
Malware Config
Extracted
hawkeye_reborn
10.1.2.5
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
info23@huatengaccessfloor.icu - Password:
1234567890
6350b6c8-ea52-47b7-965a-70bcc39b86e5
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:1234567890 _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:info23@huatengaccessfloor.icu _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:6350b6c8-ea52-47b7-965a-70bcc39b86e5 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 4 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1272-3-0x0000000000497C3E-mapping.dmp m00nd3v_logger behavioral1/memory/1272-2-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral1/memory/1272-4-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral1/memory/1272-5-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AjovBsK6skyH9YF.exedescription pid process target process PID 288 set thread context of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1272 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
AjovBsK6skyH9YF.exedescription pid process target process PID 288 wrote to memory of 2020 288 AjovBsK6skyH9YF.exe schtasks.exe PID 288 wrote to memory of 2020 288 AjovBsK6skyH9YF.exe schtasks.exe PID 288 wrote to memory of 2020 288 AjovBsK6skyH9YF.exe schtasks.exe PID 288 wrote to memory of 2020 288 AjovBsK6skyH9YF.exe schtasks.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe PID 288 wrote to memory of 1272 288 AjovBsK6skyH9YF.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AjovBsK6skyH9YF.exe"C:\Users\Admin\AppData\Local\Temp\AjovBsK6skyH9YF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tkqxkyVUWfaxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5004.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5004.tmpMD5
ccb945e4c8fab78db746ec97887364a1
SHA1817202ed0794bf77d0926d4e677e8e766a716027
SHA256ee860ae764adeb81dd0f3b09a55267d08a430279094e554a9a1e579e0ba5992a
SHA512ab9f3a4d95af93a1b5c9c1b5166734420ee97560c7e48ead5394bda618fbc0397fe2247de89b4d43102e3db3d5912052d236fe393dfafe00bba575d4b1f52980
-
memory/1272-3-0x0000000000497C3E-mapping.dmp
-
memory/1272-2-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/1272-4-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/1272-5-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/2020-0-0x0000000000000000-mapping.dmp