Analysis
-
max time kernel
61s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:04
Static task
static1
Behavioral task
behavioral1
Sample
AjovBsK6skyH9YF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
AjovBsK6skyH9YF.exe
Resource
win10v20201028
General
-
Target
AjovBsK6skyH9YF.exe
-
Size
678KB
-
MD5
27f2b3826d5a67edd9723735f56a4618
-
SHA1
5658651dd0048f9ee597326670f5a3f934862f6c
-
SHA256
e83be3e4db904d9f9896cd039170dc3fba0f316b6be60affea209aae96da71b8
-
SHA512
d60931eb34c346388cd3fbc600beee4af3d1a084f2b4d9d9e117ec33d41863550edabd2bcab295c08ab50efb55ba66f02bc5e16e0b471b9f797c0aaa434326f4
Malware Config
Extracted
hawkeye_reborn
10.1.2.5
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
info23@huatengaccessfloor.icu - Password:
1234567890
6350b6c8-ea52-47b7-965a-70bcc39b86e5
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:1234567890 _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:info23@huatengaccessfloor.icu _EmptyClipboard:false _EmptyKeyStroke:false _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _LoopPasswordStealer:true _MeltFile:false _Mutex:6350b6c8-ea52-47b7-965a-70bcc39b86e5 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/184-2-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral2/memory/184-3-0x0000000000497C3E-mapping.dmp m00nd3v_logger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AjovBsK6skyH9YF.exedescription pid process target process PID 3980 set thread context of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 184 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
AjovBsK6skyH9YF.exedescription pid process target process PID 3980 wrote to memory of 4036 3980 AjovBsK6skyH9YF.exe schtasks.exe PID 3980 wrote to memory of 4036 3980 AjovBsK6skyH9YF.exe schtasks.exe PID 3980 wrote to memory of 4036 3980 AjovBsK6skyH9YF.exe schtasks.exe PID 3980 wrote to memory of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe PID 3980 wrote to memory of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe PID 3980 wrote to memory of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe PID 3980 wrote to memory of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe PID 3980 wrote to memory of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe PID 3980 wrote to memory of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe PID 3980 wrote to memory of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe PID 3980 wrote to memory of 184 3980 AjovBsK6skyH9YF.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AjovBsK6skyH9YF.exe"C:\Users\Admin\AppData\Local\Temp\AjovBsK6skyH9YF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tkqxkyVUWfaxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C05.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3C05.tmpMD5
6e1dd869027c5ae154ecf4b8aeffd9c3
SHA16cac952e5363d1c78204e7d44d8fa21fe7c19c96
SHA256db3c3af0de40af9ea643e2e27371a7f30ed45842c92bd33b76bde46d2068eed9
SHA51235ff96d7a41ed068020b6df888492d95446e800023697fdf227cb22eba8b7dcddc5fc80d9175d80fab6b315658875f5ab3cee1056faa0b506bcb2935da537947
-
memory/184-2-0x0000000000400000-0x000000000049C000-memory.dmpFilesize
624KB
-
memory/184-3-0x0000000000497C3E-mapping.dmp
-
memory/4036-0-0x0000000000000000-mapping.dmp