Analysis

  • max time kernel
    342s
  • max time network
    385s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 06:28

General

  • Target

    hyundai steel-pipe- job 8010.exe

  • Size

    721KB

  • MD5

    0999a03694a1c97a43ac0de89cbf355e

  • SHA1

    0c8fdd4c3b40c4827662baa0c89b5b50d8f0cf1d

  • SHA256

    8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b

  • SHA512

    6515a13d561d2adb08fd53dba80ecd7ee264b66080848e0c845f63313eb9a828c6be8014d6db47f8ac910e24848dd74c57aae00a92ebe9b4efd97676e0365fe9

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    mor440ney@yandex.com
  • Password:
    castor123@

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    mor440ney@yandex.com
  • Password:
    castor123@
Mutex

245f77ec-c812-48df-870b-886d22992db6

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:mor440ney@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

  • M00nD3v Logger Payload 2 IoCs

    Detects M00nD3v Logger payload in memory.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
    "C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hyundai steel-pipe- job 8010.exe.log
    MD5

    e5ada129ae553b760891d0d6ba3dbc88

    SHA1

    cc80f0f1a950eaf22f51d25eab57f0fc15636744

    SHA256

    665987eb14260f3f169d78022638a2efd7ba4f2a4749a84f90801d8ec259842c

    SHA512

    f36864fbb7d9b074fa9cd25ca16bbd137f0b78735bdb24062924e2675b1b1e89a98b0f5f7fa2aee4f3e72932464af4a2933b767b947b39a4ef9e2e1e66824a11

  • memory/2656-0-0x0000000000400000-0x0000000000490000-memory.dmp
    Filesize

    576KB

  • memory/2656-1-0x000000000048A1DE-mapping.dmp