Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 09:45
Static task
static1
Behavioral task
behavioral1
Sample
HSBC BANK LETTER.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
HSBC BANK LETTER.exe
Resource
win10v2004-en-20220113
General
-
Target
HSBC BANK LETTER.exe
-
Size
722KB
-
MD5
c9f3af24ebda7a1bcaa94dc81156cf45
-
SHA1
14dff67f355616a09733afabff2cf836bf9ebe52
-
SHA256
07236ee497bab6187ef9e5ea42f6a184a9bb32030b50d88f251a449b03890305
-
SHA512
719cfafe427d48211d4364954ac40bc714409b8b7a1b84cac8c208491daeee47418f25dd18b94800330485ed764539e0c62360913f59a04d44f3f87605f22663
Malware Config
Extracted
hawkeye_reborn
10.1.2.0
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
Whyworry90#
445412f4-e62c-45fb-b469-c2a7c60a1a4b
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Whyworry90# _EmailPort:587 _EmailSSL:true _EmailServer:mail.privateemail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:445412f4-e62c-45fb-b469-c2a7c60a1a4b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1448-60-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1448-61-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1448-62-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
HSBC BANK LETTER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HSBC BANK LETTER.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HSBC BANK LETTER.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HSBC BANK LETTER.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
HSBC BANK LETTER.exedescription pid process target process PID 2020 set thread context of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HSBC BANK LETTER.exepid process 1448 HSBC BANK LETTER.exe 1448 HSBC BANK LETTER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HSBC BANK LETTER.exedescription pid process Token: SeDebugPrivilege 1448 HSBC BANK LETTER.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HSBC BANK LETTER.exepid process 1448 HSBC BANK LETTER.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
HSBC BANK LETTER.exedescription pid process target process PID 2020 wrote to memory of 860 2020 HSBC BANK LETTER.exe schtasks.exe PID 2020 wrote to memory of 860 2020 HSBC BANK LETTER.exe schtasks.exe PID 2020 wrote to memory of 860 2020 HSBC BANK LETTER.exe schtasks.exe PID 2020 wrote to memory of 860 2020 HSBC BANK LETTER.exe schtasks.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe PID 2020 wrote to memory of 1448 2020 HSBC BANK LETTER.exe HSBC BANK LETTER.exe -
outlook_office_path 1 IoCs
Processes:
HSBC BANK LETTER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HSBC BANK LETTER.exe -
outlook_win_path 1 IoCs
Processes:
HSBC BANK LETTER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HSBC BANK LETTER.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QZsWuVHcCxhEXU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE9D.tmp"2⤵
- Creates scheduled task(s)
PID:860 -
C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6cda97d90455f19ef83faa2c11a66035
SHA16163dee2b8191b03d45c80b443db78049ad9a241
SHA2567e991992e78b192f19a14cbd4a531ff888c9bca531d4d24aa1bfc074358a47dc
SHA5127156fd425e387440868a3352c36ab28f496bc82e42ea05a9d5343eb8a40b1e633208719df1c7517f774e88e0cf099e83bd3c0ce3d5df7639e90e3c2a928e8031