Analysis
-
max time kernel
130s -
max time network
131s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:43
Static task
static1
Behavioral task
behavioral1
Sample
princeeeefile.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
princeeeefile.exe
Resource
win10v20201028
General
-
Target
princeeeefile.exe
-
Size
1.1MB
-
MD5
119b5e6afa1eb301675debb3f36972ef
-
SHA1
ccae3f1b236ea8f992e9982fb5191cb9a251555b
-
SHA256
d59139b6c15fcf4c4ff16f195a07efc6183422c7ccaef5ff6b446d760365d9b3
-
SHA512
0d0f440952d62a96d22ed52ca712ef7db09e5fd38704a97817c7f79cec91ff1a4a89522c615ebd96b97a68cb5f0d84f1ae92b9b52a69b204758b1d20689e94cb
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.prismindia.in - Port:
587 - Username:
[email protected] - Password:
Stencil1@
236e7cc8-2338-48a0-99ee-d911950fa78d
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Stencil1@ _EmailPort:587 _EmailSSL:false _EmailServer:mail.prismindia.in _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10080 _MeltFile:false _Mutex:236e7cc8-2338-48a0-99ee-d911950fa78d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 4 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/836-1-0x000000000055F5D0-mapping.dmp m00nd3v_logger behavioral1/memory/836-3-0x0000000000400000-0x0000000000561000-memory.dmp m00nd3v_logger behavioral1/memory/836-4-0x0000000001E40000-0x0000000001EEA000-memory.dmp m00nd3v_logger behavioral1/memory/836-6-0x0000000000230000-0x00000000002D5000-memory.dmp m00nd3v_logger -
Processes:
resource yara_rule behavioral1/memory/836-0-0x0000000000400000-0x0000000000561000-memory.dmp upx behavioral1/memory/836-2-0x0000000000400000-0x0000000000561000-memory.dmp upx behavioral1/memory/836-3-0x0000000000400000-0x0000000000561000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
princeeeefile.exeprinceeeefile.exedescription pid process target process PID 1056 set thread context of 836 1056 princeeeefile.exe princeeeefile.exe PID 836 set thread context of 604 836 princeeeefile.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
princeeeefile.exevbc.exepid process 1056 princeeeefile.exe 604 vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
princeeeefile.exepid process 1056 princeeeefile.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
princeeeefile.exeprinceeeefile.exedescription pid process target process PID 1056 wrote to memory of 836 1056 princeeeefile.exe princeeeefile.exe PID 1056 wrote to memory of 836 1056 princeeeefile.exe princeeeefile.exe PID 1056 wrote to memory of 836 1056 princeeeefile.exe princeeeefile.exe PID 1056 wrote to memory of 836 1056 princeeeefile.exe princeeeefile.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe PID 836 wrote to memory of 604 836 princeeeefile.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\princeeeefile.exe"C:\Users\Admin\AppData\Local\Temp\princeeeefile.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\princeeeefile.exe"C:\Users\Admin\AppData\Local\Temp\princeeeefile.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp497E.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84