Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 05:02
Static task
static1
Behavioral task
behavioral1
Sample
xSL4FcGiFNAXgLg.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
xSL4FcGiFNAXgLg.exe
Resource
win10v2004-en-20220112
General
-
Target
xSL4FcGiFNAXgLg.exe
-
Size
987KB
-
MD5
13448c9fe9b5e6b6a6d3994bba8f9555
-
SHA1
962eb66a7322172d457bfd81be7502cec6d7b5f9
-
SHA256
d9f2a175430adc77bc769e257717d0c3afdef060686fd7da3b7f3871f1e9a9d2
-
SHA512
1cbf63a85385baef34dab3fc18c080a18c3a89de3c18177e1c3e7372f1acdba3c25635855355b2de937bc667ec47f6749693f9130fb15e80b9d9e4f61d4f7bc8
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.continentalmanpower.com - Port:
26 - Username:
[email protected] - Password:
MumCon05
51386575-9c41-482f-8c0b-bba72d83b6ee
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:MumCon05 _EmailPort:26 _EmailSSL:true _EmailServer:mail.continentalmanpower.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:51386575-9c41-482f-8c0b-bba72d83b6ee _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
resource yara_rule behavioral1/memory/1036-61-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/1036-62-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/1036-63-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1700-72-0x0000000000400000-0x0000000000477000-memory.dmp WebBrowserPassView behavioral1/memory/1700-74-0x0000000000400000-0x0000000000477000-memory.dmp WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral1/memory/1700-72-0x0000000000400000-0x0000000000477000-memory.dmp Nirsoft behavioral1/memory/1700-74-0x0000000000400000-0x0000000000477000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 760 set thread context of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 1036 set thread context of 1700 1036 xSL4FcGiFNAXgLg.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1700 vbc.exe 1036 xSL4FcGiFNAXgLg.exe 1036 xSL4FcGiFNAXgLg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1036 xSL4FcGiFNAXgLg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 760 wrote to memory of 784 760 xSL4FcGiFNAXgLg.exe 27 PID 760 wrote to memory of 784 760 xSL4FcGiFNAXgLg.exe 27 PID 760 wrote to memory of 784 760 xSL4FcGiFNAXgLg.exe 27 PID 760 wrote to memory of 784 760 xSL4FcGiFNAXgLg.exe 27 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 760 wrote to memory of 1036 760 xSL4FcGiFNAXgLg.exe 29 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33 PID 1036 wrote to memory of 1700 1036 xSL4FcGiFNAXgLg.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe"C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbCowtz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D29.tmp"2⤵
- Creates scheduled task(s)
PID:784
-
-
C:\Users\Admin\AppData\Local\Temp\xSL4FcGiFNAXgLg.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpE3E9.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-