Analysis
-
max time kernel
30s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 03:07
Static task
static1
Behavioral task
behavioral1
Sample
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Resource
win10v2004-20220414-en
General
-
Target
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
-
Size
781KB
-
MD5
f31581564b5bbc14d3c862c2be157a52
-
SHA1
64e62fe3198a16cb205acd31400af967ad3dd347
-
SHA256
7c0f66eed3a2fc7c90ab5db03483aada693894a77a1480e22521ccf422a08ba3
-
SHA512
ded28a91894313cbdd5678ec191c1e138d524ce3785ca96a255b2bc09cf5f18b8d287a48cf6b754d658f5ab70d95f933899208dc54c21f6b113a0e87200f3f1a
Malware Config
Extracted
hawkeye_reborn
10.0.0.1
Protocol: smtp- Host:
mail.eagleeyeapparels.com - Port:
587 - Username:
[email protected] - Password:
eagle*qaz
f98d37f4-ca90-4ed7-9f6f-6121c4014605
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:eagle*qaz _EmailPort:587 _EmailSSL:true _EmailServer:mail.eagleeyeapparels.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:f98d37f4-ca90-4ed7-9f6f-6121c4014605 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:true _SystemInfo:true _Version:10.0.0.1 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye RebornX, Version=10.0.0.1, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exedescription pid process target process PID 384 set thread context of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exepid process 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exedescription pid process Token: SeDebugPrivilege 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO HALLEY PROJECT01X40 CFR 72020.tbz2.exedescription pid process target process PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PID 384 wrote to memory of 1968 384 PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\PO HALLEY PROJECT01X40 CFR 72020.tbz2.exe"{path}"2⤵PID:1968