Analysis
-
max time kernel
83s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 20:55
Static task
static1
Behavioral task
behavioral1
Sample
fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe
Resource
win10v2004-20220721-en
General
-
Target
fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe
-
Size
2.0MB
-
MD5
83aebff419895e406911862d5ee7a029
-
SHA1
2d5545557538754a98258dc4cbf6af55fb065808
-
SHA256
fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6
-
SHA512
ff3817928467ebad1821fad2d319d22a374863a0c3bbb70a5e2babf9256968fb427f9f7455f85dd506d3ac260eaa2ce177cdd64f998fabc40dbb57e6b8a7a1fa
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: ftp- Host:
ftp.sventiskai.lt - Port:
21 - Username:
admin@sventiskai.lt - Password:
bathram0123
5c11938b-5cda-4e44-b703-c5960eef7ac8
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:bathram0123 _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.sventiskai.lt _FTPUsername:admin@sventiskai.lt _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:43800 _MeltFile:false _Mutex:5c11938b-5cda-4e44-b703-c5960eef7ac8 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/1500-134-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4652-145-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4652-147-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4652-148-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4564-138-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4564-140-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4564-141-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4564-142-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-138-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4564-140-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4564-141-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4564-142-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4652-145-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4652-147-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4652-148-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exeRegAsm.exedescription pid process target process PID 4704 set thread context of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 1500 set thread context of 4564 1500 RegAsm.exe vbc.exe PID 1500 set thread context of 4652 1500 RegAsm.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exevbc.exepid process 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe 4564 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exedescription pid process Token: SeDebugPrivilege 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exeRegAsm.exedescription pid process target process PID 4704 wrote to memory of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 4704 wrote to memory of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 4704 wrote to memory of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 4704 wrote to memory of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 4704 wrote to memory of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 4704 wrote to memory of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 4704 wrote to memory of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 4704 wrote to memory of 1500 4704 fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe RegAsm.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4564 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe PID 1500 wrote to memory of 4652 1500 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe"C:\Users\Admin\AppData\Local\Temp\fa494cb8c439fadfb6b67ed491513aa3c2fa1dfb4e0d03769ad909407a3b81f6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF801.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFC28.tmp"3⤵
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF801.tmpFilesize
4KB
MD5a64ef19cb7924d0ef7b27699e0237041
SHA1b6392aa8451f0721fcadff793808f8630182e66e
SHA25666635dcdbf3439d7e09ac3f043c0ff6792f1ec281070fea4618d9b5fb287cb56
SHA51266f6ae0b27227cfaf57a28e8f592a899375f763d0dc1e4f0199444b52e026f04243761bb20af127a7815a5c59db3c9fe1c1ff2a3ef069b8eccff3eef68da284b
-
memory/1500-134-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1500-136-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/1500-133-0x0000000000000000-mapping.dmp
-
memory/1500-135-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4564-137-0x0000000000000000-mapping.dmp
-
memory/4564-140-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4564-138-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4564-141-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4564-142-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4652-144-0x0000000000000000-mapping.dmp
-
memory/4652-145-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4652-147-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4652-148-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4704-132-0x00000000057B0000-0x000000000584C000-memory.dmpFilesize
624KB
-
memory/4704-130-0x0000000000A10000-0x0000000000C12000-memory.dmpFilesize
2.0MB
-
memory/4704-131-0x0000000005A00000-0x0000000005F2C000-memory.dmpFilesize
5.2MB