Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/02/2024, 09:58 UTC

General

  • Target

    a016c13d92b2950a5494db8916dd77ba.exe

  • Size

    709KB

  • MD5

    a016c13d92b2950a5494db8916dd77ba

  • SHA1

    8113747da58ffaf3964850704eed9ae32eeed846

  • SHA256

    0614874d49a085d84f0a2a71f370dff23a9898ee64a190d6cade492e4b91643d

  • SHA512

    2fe6ec7044276bc6d1631db75edd14dd6f7f756a1240580b686b7f93328726b7f4553a47db0b7c36624f919f9a81e17eb99e73225f9ff085de252133325bec76

  • SSDEEP

    12288:hnSLWoo7Zhx72JkQZvvkFMuYrIFmmh6JiBaA6Pt83cCS:RSLWZj7PQ5LamgaHV8zS

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    crissunslogs@gmail.com
  • Password:
    samsung@@

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a016c13d92b2950a5494db8916dd77ba.exe
    "C:\Users\Admin\AppData\Local\Temp\a016c13d92b2950a5494db8916dd77ba.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      2⤵
      • Accesses Microsoft Outlook accounts
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4836

Network

  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    whatismyipaddress.com
    a016c13d92b2950a5494db8916dd77ba.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyipaddress.com
    IN A
    Response
    whatismyipaddress.com
    IN A
    104.16.154.36
    whatismyipaddress.com
    IN A
    104.16.155.36
  • flag-us
    GET
    http://whatismyipaddress.com/
    a016c13d92b2950a5494db8916dd77ba.exe
    Remote address:
    104.16.154.36:80
    Request
    GET / HTTP/1.1
    Host: whatismyipaddress.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 16 Feb 2024 09:58:37 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 16 Feb 2024 10:58:37 GMT
    Location: https://whatismyipaddress.com/
    Set-Cookie: __cf_bm=xg9lGtQpdW6oOcGf2MbSudbawMVhk9g2u9134KILx4k-1708077517-1.0-AZ2ueEbBbjNUbLBkzKy/8jYJlQx4o2e2/045N8WGMrdK1dfKE1SRAeCsd9Vf41Nm2CvoJutUFaVs0bHQS5AWvpA=; path=/; expires=Fri, 16-Feb-24 10:28:37 GMT; domain=.whatismyipaddress.com; HttpOnly
    Server: cloudflare
    CF-RAY: 8564eee14b7c6367-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://whatismyipaddress.com/
    a016c13d92b2950a5494db8916dd77ba.exe
    Remote address:
    104.16.154.36:443
    Request
    GET / HTTP/1.1
    Host: whatismyipaddress.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Date: Fri, 16 Feb 2024 09:58:37 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
    Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Set-Cookie: __cf_bm=qvXf7YJJERB6DZW4nAyQ.SYK8zKzI7aJbSR4FO1Llrc-1708077517-1.0-AbrzHw2rsgBuAZgktvPJJWLowdiGZu0DZ0Kt7jOZk2udBzi5NCcjZ8NCX7tNAwEZYAm7CAqdOsYa10Ks3Z3+mJw=; path=/; expires=Fri, 16-Feb-24 10:28:37 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
    Server: cloudflare
    CF-RAY: 8564eee2b83c069a-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    36.154.16.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    36.154.16.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    smtp.gmail.com
    a016c13d92b2950a5494db8916dd77ba.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.gmail.com
    IN A
    Response
    smtp.gmail.com
    IN A
    142.250.102.108
  • flag-us
    DNS
    108.102.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.102.250.142.in-addr.arpa
    IN PTR
    Response
    108.102.250.142.in-addr.arpa
    IN PTR
    rb-in-f1081e100net
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    187.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    187.178.17.96.in-addr.arpa
    IN PTR
    Response
    187.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-187deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
  • 104.16.154.36:80
    http://whatismyipaddress.com/
    http
    a016c13d92b2950a5494db8916dd77ba.exe
    504 B
    746 B
    8
    4

    HTTP Request

    GET http://whatismyipaddress.com/

    HTTP Response

    301
  • 104.16.154.36:443
    https://whatismyipaddress.com/
    tls, http
    a016c13d92b2950a5494db8916dd77ba.exe
    1.2kB
    22.6kB
    18
    26

    HTTP Request

    GET https://whatismyipaddress.com/

    HTTP Response

    403
  • 142.250.102.108:587
    smtp.gmail.com
    smtp
    a016c13d92b2950a5494db8916dd77ba.exe
    1.2kB
    6.4kB
    16
    18
  • 142.250.102.108:587
    smtp.gmail.com
    smtp
    a016c13d92b2950a5494db8916dd77ba.exe
    1.2kB
    1.7kB
    12
    14
  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    whatismyipaddress.com
    dns
    a016c13d92b2950a5494db8916dd77ba.exe
    67 B
    99 B
    1
    1

    DNS Request

    whatismyipaddress.com

    DNS Response

    104.16.154.36
    104.16.155.36

  • 8.8.8.8:53
    36.154.16.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    36.154.16.104.in-addr.arpa

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    smtp.gmail.com
    dns
    a016c13d92b2950a5494db8916dd77ba.exe
    60 B
    76 B
    1
    1

    DNS Request

    smtp.gmail.com

    DNS Response

    142.250.102.108

  • 8.8.8.8:53
    108.102.250.142.in-addr.arpa
    dns
    74 B
    108 B
    1
    1

    DNS Request

    108.102.250.142.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    187.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    187.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    19.229.111.52.in-addr.arpa

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\holdermail.txt

    Filesize

    271B

    MD5

    a18df529a77ed1fbd887400151b9728f

    SHA1

    74912cb5e97566749ccae5f70e52ee87cb4dfa07

    SHA256

    599ceb2fab753551e7b27340cd3a9d2eb44a887dfb178d1c05015159bb352eb3

    SHA512

    a446e30992bc63b53952982e06069555e9b65eb25274495470d4410a04bcc9aeaa96b95300fc89512181e0614abf279f439b52f32ffc6ffb3034230c97aa08b0

  • C:\Users\Admin\AppData\Local\Temp\holdermail.txt

    Filesize

    327B

    MD5

    e4f3273432f9167e5f8bd2048206773d

    SHA1

    139b6566c6f8c6a359dd7e6063f88be24f701c8d

    SHA256

    b620b529c43ed1dab8db9c63b402958e1a0b65c9110029b92ac8ae2c21c0acb2

    SHA512

    e1bf722b627cd5f1e1678549d51f9556a1d31c8e5f47dfbe343c81aef7bac279ca2b062751666d650b2c196785a84b0d2edca09d1a04b829f4ae869e513e6941

  • memory/2764-5-0x0000000001700000-0x0000000001710000-memory.dmp

    Filesize

    64KB

  • memory/2764-33-0x00000000750D0000-0x0000000075681000-memory.dmp

    Filesize

    5.7MB

  • memory/2764-8-0x0000000001700000-0x0000000001710000-memory.dmp

    Filesize

    64KB

  • memory/2764-2-0x00000000750D0000-0x0000000075681000-memory.dmp

    Filesize

    5.7MB

  • memory/2764-0-0x00000000750D0000-0x0000000075681000-memory.dmp

    Filesize

    5.7MB

  • memory/2764-36-0x0000000001700000-0x0000000001710000-memory.dmp

    Filesize

    64KB

  • memory/2764-35-0x0000000001700000-0x0000000001710000-memory.dmp

    Filesize

    64KB

  • memory/2764-34-0x0000000001700000-0x0000000001710000-memory.dmp

    Filesize

    64KB

  • memory/2764-1-0x0000000001700000-0x0000000001710000-memory.dmp

    Filesize

    64KB

  • memory/2852-9-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2852-10-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2852-11-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2852-17-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/4836-19-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/4836-31-0x0000000000470000-0x0000000000539000-memory.dmp

    Filesize

    804KB

  • memory/4836-32-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/4836-22-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/4836-21-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/4836-20-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.