Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:39
Static task
static1
Behavioral task
behavioral1
Sample
vesseldetails.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
vesseldetails.exe
Resource
win10v20201028
General
-
Target
vesseldetails.exe
-
Size
668KB
-
MD5
58dabb3cafcad9f11c864a29d93f19da
-
SHA1
b900e523e7fdb0ad4df912189346653948df1754
-
SHA256
99098b282b5a2190cdb362bd92f8ce2b42dc70121c91680b318fe5aa2443c815
-
SHA512
3d8041149985538c39ff151ec2b7827ffb3fc2a1c60abfb409ca8beb7a1f767aea3d1f293e55645a540a64033ee3b05ddf7ddada0dd9c188be3722774f7276e8
Malware Config
Extracted
hawkeye_reborn
10.1.2.5
Protocol: smtp- Host:
mail.oms.com.sg - Port:
587 - Username:
calvin@oms.com.sg - Password:
oms3388$$
beb03e55-7618-45f1-9df1-fcc9af459623
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:oms3388$$ _EmailPort:587 _EmailSSL:true _EmailServer:mail.oms.com.sg _EmailUsername:calvin@oms.com.sg _EmptyClipboard:true _EmptyKeyStroke:true _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:2 _LoopPasswordStealer:true _MeltFile:false _Mutex:beb03e55-7618-45f1-9df1-fcc9af459623 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.5 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.5, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral2/memory/2276-0-0x0000000000400000-0x000000000049C000-memory.dmp m00nd3v_logger behavioral2/memory/2276-1-0x0000000000497C3E-mapping.dmp m00nd3v_logger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vesseldetails.exedescription pid process target process PID 1400 set thread context of 2276 1400 vesseldetails.exe vesseldetails.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vesseldetails.exepid process 2276 vesseldetails.exe 2276 vesseldetails.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vesseldetails.exedescription pid process Token: SeDebugPrivilege 2276 vesseldetails.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vesseldetails.exepid process 2276 vesseldetails.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
vesseldetails.exedescription pid process target process PID 1400 wrote to memory of 2276 1400 vesseldetails.exe vesseldetails.exe PID 1400 wrote to memory of 2276 1400 vesseldetails.exe vesseldetails.exe PID 1400 wrote to memory of 2276 1400 vesseldetails.exe vesseldetails.exe PID 1400 wrote to memory of 2276 1400 vesseldetails.exe vesseldetails.exe PID 1400 wrote to memory of 2276 1400 vesseldetails.exe vesseldetails.exe PID 1400 wrote to memory of 2276 1400 vesseldetails.exe vesseldetails.exe PID 1400 wrote to memory of 2276 1400 vesseldetails.exe vesseldetails.exe PID 1400 wrote to memory of 2276 1400 vesseldetails.exe vesseldetails.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vesseldetails.exe"C:\Users\Admin\AppData\Local\Temp\vesseldetails.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vesseldetails.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx