General
-
Target
PO 75410085_Pdf_______________.exe
-
Size
718KB
-
Sample
201109-v9erzme8n6
-
MD5
4cf536a025295e6c6360c749b32c9b07
-
SHA1
8e381356bdc365b47ef17e6e74b5f85329c1efd1
-
SHA256
623088f292f9cda615bded9d1d9990dfbb3f03943b570054e92d7d6f5a992b3a
-
SHA512
ac58f3b82afcff9742b9b3dfe45ecb84f47e64903f798580134ccc6522a9d9194e0f881decdc528006c79d0244e65a3fc3f9bf8b84fee0014e8097ed8acdc9ea
Static task
static1
Behavioral task
behavioral1
Sample
PO 75410085_Pdf_______________.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO 75410085_Pdf_______________.exe
Resource
win10v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
tsnewdawn2018
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
tsnewdawn2018
18fb0183-a312-4c1a-9aa0-f10270aac54e
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:tsnewdawn2018 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.gmail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:18fb0183-a312-4c1a-9aa0-f10270aac54e _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Targets
-
-
Target
PO 75410085_Pdf_______________.exe
-
Size
718KB
-
MD5
4cf536a025295e6c6360c749b32c9b07
-
SHA1
8e381356bdc365b47ef17e6e74b5f85329c1efd1
-
SHA256
623088f292f9cda615bded9d1d9990dfbb3f03943b570054e92d7d6f5a992b3a
-
SHA512
ac58f3b82afcff9742b9b3dfe45ecb84f47e64903f798580134ccc6522a9d9194e0f881decdc528006c79d0244e65a3fc3f9bf8b84fee0014e8097ed8acdc9ea
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload
Detects M00nD3v Logger payload in memory.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-