Analysis
-
max time kernel
50s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
0000000347034555_06052020.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0000000347034555_06052020.exe
Resource
win10v20201028
General
-
Target
0000000347034555_06052020.exe
-
Size
688KB
-
MD5
47b0196de05f2982f986ad83c571729b
-
SHA1
410dd7090a599d42f343c74b3c5b72092a55ee61
-
SHA256
5024c970c93f71f337a7a013d96a40d0c74870f1b6b25480bd5a507b70580cf1
-
SHA512
5a7488326eeaf0217b2d481bb93ae83960b9b3a75cc39be8ab04e8bfd0562cccc866ab279a6e6867d0ef8cd07ea216977f0bb2ae57721e27979e090e60237aeb
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: ftp- Host:
ftp.airbiast.com - Port:
21 - Username:
[email protected] - Password:
playboy123#
40f2c4d7-d616-43ae-974d-93b4bdc7e04d
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:playboy123# _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.airbiast.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:40f2c4d7-d616-43ae-974d-93b4bdc7e04d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 4 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1780-7-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1780-8-0x000000000048A1DE-mapping.dmp m00nd3v_logger behavioral1/memory/1780-9-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1780-10-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Processes:
resource yara_rule behavioral1/memory/336-4-0x0000000004B50000-0x0000000004BE1000-memory.dmp rezer0 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0000000347034555_06052020.exedescription pid process target process PID 336 set thread context of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0000000347034555_06052020.exe0000000347034555_06052020.exedescription pid process Token: SeDebugPrivilege 336 0000000347034555_06052020.exe Token: SeDebugPrivilege 1780 0000000347034555_06052020.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
0000000347034555_06052020.exedescription pid process target process PID 336 wrote to memory of 1048 336 0000000347034555_06052020.exe schtasks.exe PID 336 wrote to memory of 1048 336 0000000347034555_06052020.exe schtasks.exe PID 336 wrote to memory of 1048 336 0000000347034555_06052020.exe schtasks.exe PID 336 wrote to memory of 1048 336 0000000347034555_06052020.exe schtasks.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe PID 336 wrote to memory of 1780 336 0000000347034555_06052020.exe 0000000347034555_06052020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0000000347034555_06052020.exe"C:\Users\Admin\AppData\Local\Temp\0000000347034555_06052020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiQVpIZAeSJIEc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7224.tmp"2⤵
- Creates scheduled task(s)
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\0000000347034555_06052020.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c815eb7319db48b2e50bf6c4a4e415d
SHA1c868699dcc550b88b4695ebdbba8620e73ff21d4
SHA256d35801c14767cf15a9be3081512bb53d2c4acc3b00368c90d82344b374ccc15c
SHA5127c14ad2471c35214297557e255450bd19e557008b55f8bfc01fa96b3a673c3fb060395c8f5e7693df86750b65132d6c390d5c360114f643dcc6db018e716f6d5