Overview

overview

10

Static

static

7cfd8176a561d1...3b.exe

windows7_x64

10

7cfd8176a561d1...3b.exe

windows10-2004_x64

10
General
Target

7cfd8176a561d17895afb532af1b04ebcba28aed056ce03a46a22bb069954c3b

Size

1011KB

Sample

220701-ge7vnsgbf4

Score
10/10
MD5

98119cf7e92697a623d6d186ddca94d9

SHA1

4190ebf1ba1ae0941b8b52c5968e6206ec0570cb

SHA256

7cfd8176a561d17895afb532af1b04ebcba28aed056ce03a46a22bb069954c3b

SHA512

c5675f6ae548148785b7b34498952f49bcebd82e966e47ff2f3bc0785534ff6a17f54750a53040777755d16962f3cbd5a1269f203682ac720e89fac4e1c9eeab

Malware Config

Extracted

Family

hawkeye_reborn
Version

9.0.1.6
Credentials

Protocol: smtp

Host: smtp.yandex.com

Port: 587

Username: shun.zi@yandex.com

Password: chibu1985
Attributes
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:chibu1985 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:shun.zi@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:18510a81-4a2c-46b6-8ff6-1badb284d4f1 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Extracted

Family

xpertrat
Version

3.0.10
Botnet

Test
C2

obystar.duckdns.org:1867
Targets
Target

7cfd8176a561d17895afb532af1b04ebcba28aed056ce03a46a22bb069954c3b

MD5

98119cf7e92697a623d6d186ddca94d9

Filesize

1011KB

Score
10/10
SHA1

4190ebf1ba1ae0941b8b52c5968e6206ec0570cb

SHA256

7cfd8176a561d17895afb532af1b04ebcba28aed056ce03a46a22bb069954c3b

SHA512

c5675f6ae548148785b7b34498952f49bcebd82e966e47ff2f3bc0785534ff6a17f54750a53040777755d16962f3cbd5a1269f203682ac720e89fac4e1c9eeab

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • HawkEye Reborn

    Description

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    Tags

  • M00nd3v_Logger

    Description

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    Tags

  • UAC bypass

    Tags

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry

  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry

  • XpertRAT

    Description

    XpertRAT is a remote access trojan with various capabilities.

    Tags

  • XpertRAT Core Payload

  • M00nD3v Logger Payload

    Description

    Detects M00nD3v Logger payload in memory.

    Tags

  • NirSoft MailPassView

    Description

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Description

    Password recovery tool for various web browsers

  • Nirsoft

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Uses the VBS compiler for execution

    TTPs

    Scripting

  • Windows security modification

    Tags

    TTPs

    Disabling Security ToolsModify Registry

  • Accesses Microsoft Outlook accounts

    Tags

    TTPs

    Email Collection

  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
              Privilege Escalation