Analysis
-
max time kernel
17s -
max time network
103s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:45
Static task
static1
Behavioral task
behavioral1
Sample
PO 75410085_Pdf_______________.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO 75410085_Pdf_______________.exe
Resource
win10v20201028
General
-
Target
PO 75410085_Pdf_______________.exe
-
Size
718KB
-
MD5
4cf536a025295e6c6360c749b32c9b07
-
SHA1
8e381356bdc365b47ef17e6e74b5f85329c1efd1
-
SHA256
623088f292f9cda615bded9d1d9990dfbb3f03943b570054e92d7d6f5a992b3a
-
SHA512
ac58f3b82afcff9742b9b3dfe45ecb84f47e64903f798580134ccc6522a9d9194e0f881decdc528006c79d0244e65a3fc3f9bf8b84fee0014e8097ed8acdc9ea
Malware Config
Extracted
hawkeye_reborn
10.1.2.2
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
tsnewdawn2018
18fb0183-a312-4c1a-9aa0-f10270aac54e
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:tsnewdawn2018 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.gmail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:18fb0183-a312-4c1a-9aa0-f10270aac54e _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral2/memory/800-6-0x00000000058D0000-0x00000000058D3000-memory.dmp coreentity -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/2072-9-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral2/memory/2072-10-0x000000000048A1DE-mapping.dmp m00nd3v_logger -
Processes:
resource yara_rule behavioral2/memory/800-7-0x00000000062F0000-0x0000000006381000-memory.dmp rezer0 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO 75410085_Pdf_______________.exedescription pid process target process PID 800 set thread context of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO 75410085_Pdf_______________.exepid process 2072 PO 75410085_Pdf_______________.exe 2072 PO 75410085_Pdf_______________.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO 75410085_Pdf_______________.exedescription pid process Token: SeDebugPrivilege 2072 PO 75410085_Pdf_______________.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PO 75410085_Pdf_______________.exedescription pid process target process PID 800 wrote to memory of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe PID 800 wrote to memory of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe PID 800 wrote to memory of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe PID 800 wrote to memory of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe PID 800 wrote to memory of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe PID 800 wrote to memory of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe PID 800 wrote to memory of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe PID 800 wrote to memory of 2072 800 PO 75410085_Pdf_______________.exe PO 75410085_Pdf_______________.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 75410085_Pdf_______________.exe"C:\Users\Admin\AppData\Local\Temp\PO 75410085_Pdf_______________.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\PO 75410085_Pdf_______________.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078