Analysis
-
max time kernel
133s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 15:04
Static task
static1
Behavioral task
behavioral1
Sample
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
Resource
win10v2004-en-20220113
General
-
Target
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe
-
Size
928KB
-
MD5
4e1c63f6dea273fa69557ad90b9d4df6
-
SHA1
f08df5fba2f8abb1cb90c9448400f40ace024293
-
SHA256
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e
-
SHA512
ca97efeabedce4a76bfc09d47e87193185cc9004976340d0a76c72b61dce72d40b374a24f38f266bb2d9bb84f2ac6d800dad65fc16f1889a9fd90e5486f421eb
Malware Config
Extracted
hawkeye_reborn
10.1.0.0
Protocol: smtp- Host:
mail.eagleeyeapparels.com - Port:
587 - Username:
[email protected] - Password:
eagle*qaz
f9a93be0-7cc8-469a-b7ec-5d228b464786
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f9a93be0-7cc8-469a-b7ec-5d228b464786 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 3 IoCs
Detects M00nD3v Logger payload in memory.
Processes:
resource yara_rule behavioral1/memory/1712-60-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/1712-61-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger behavioral1/memory/1712-62-0x0000000000400000-0x00000000004AA000-memory.dmp m00nd3v_logger -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1380-70-0x0000000000400000-0x0000000000477000-memory.dmp WebBrowserPassView behavioral1/memory/1380-73-0x0000000000400000-0x0000000000477000-memory.dmp WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-70-0x0000000000400000-0x0000000000477000-memory.dmp Nirsoft behavioral1/memory/1380-73-0x0000000000400000-0x0000000000477000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exeMSBuild.exedescription pid process target process PID 2000 set thread context of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 1712 set thread context of 1380 1712 MSBuild.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exevbc.exeMSBuild.exepid process 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe 1380 vbc.exe 1712 MSBuild.exe 1712 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe Token: SeDebugPrivilege 1712 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1712 MSBuild.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exeMSBuild.exedescription pid process target process PID 2000 wrote to memory of 1408 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1408 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1408 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1408 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 2000 wrote to memory of 1712 2000 615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe MSBuild.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe PID 1712 wrote to memory of 1380 1712 MSBuild.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe"C:\Users\Admin\AppData\Local\Temp\615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵PID:1408
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp666F.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84