Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 14:45
Static task
static1
Behavioral task
behavioral1
Sample
inv.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
inv.exe
Resource
win10v2004-20240508-en
General
-
Target
inv.exe
-
Size
961KB
-
MD5
76531d39883b68c043629aa10630d089
-
SHA1
824d18f09010dbaa411dbc6680e7e4bb7d7d646b
-
SHA256
ace8278c3113b551c6f87599c9a7d64724b55293fc64312a8c042585b07f75f8
-
SHA512
7cef89bff08fc07a31c63e20310e9bc75f12c53f4480ba4c9c9fb218af2e86e5881683c45696b3afab7c91223b45622b953c547a1eccbbf04b00756cdc29a9c1
-
SSDEEP
24576:bxLgu0WUD1HOYMXj/V0fX38g1yGQoxqW2T:bF5W1HOYGVqf17QoxW
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.faraveili.com - Port:
25 - Username:
[email protected] - Password:
lord22
a57e5243-4d3f-45c0-b0f1-2785a9260e2b
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:lord22 _EmailPort:25 _EmailSSL:false _EmailServer:mail.faraveili.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:a57e5243-4d3f-45c0-b0f1-2785a9260e2b _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/2288-24-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2288-29-0x0000000004EF0000-0x0000000004F66000-memory.dmp MailPassView behavioral2/memory/1576-41-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1576-42-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1576-44-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2288-29-0x0000000004EF0000-0x0000000004F66000-memory.dmp WebBrowserPassView behavioral2/memory/1044-32-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1044-33-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1044-39-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/2288-29-0x0000000004EF0000-0x0000000004F66000-memory.dmp Nirsoft behavioral2/memory/1044-32-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1044-33-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1044-39-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1576-41-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1576-42-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1576-44-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation inv.exe -
Executes dropped EXE 2 IoCs
pid Process 2364 app.exe 2288 app.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/2364-22-0x0000000000A10000-0x0000000000A1A000-memory.dmp agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\Videos\\app.exe -boot" app.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2364 set thread context of 2288 2364 app.exe 103 PID 2288 set thread context of 1044 2288 app.exe 106 PID 2288 set thread context of 1576 2288 app.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe 1044 vbc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1464 inv.exe Token: 33 1464 inv.exe Token: SeIncBasePriorityPrivilege 1464 inv.exe Token: SeDebugPrivilege 2364 app.exe Token: 33 2364 app.exe Token: SeIncBasePriorityPrivilege 2364 app.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1464 wrote to memory of 3260 1464 inv.exe 96 PID 1464 wrote to memory of 3260 1464 inv.exe 96 PID 1464 wrote to memory of 3260 1464 inv.exe 96 PID 1464 wrote to memory of 1700 1464 inv.exe 99 PID 1464 wrote to memory of 1700 1464 inv.exe 99 PID 1464 wrote to memory of 1700 1464 inv.exe 99 PID 1700 wrote to memory of 2364 1700 cmd.exe 101 PID 1700 wrote to memory of 2364 1700 cmd.exe 101 PID 1700 wrote to memory of 2364 1700 cmd.exe 101 PID 2364 wrote to memory of 2288 2364 app.exe 103 PID 2364 wrote to memory of 2288 2364 app.exe 103 PID 2364 wrote to memory of 2288 2364 app.exe 103 PID 2364 wrote to memory of 2288 2364 app.exe 103 PID 2364 wrote to memory of 2288 2364 app.exe 103 PID 2364 wrote to memory of 2288 2364 app.exe 103 PID 2364 wrote to memory of 2288 2364 app.exe 103 PID 2364 wrote to memory of 2288 2364 app.exe 103 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1044 2288 app.exe 106 PID 2288 wrote to memory of 1576 2288 app.exe 107 PID 2288 wrote to memory of 1576 2288 app.exe 107 PID 2288 wrote to memory of 1576 2288 app.exe 107 PID 2288 wrote to memory of 1576 2288 app.exe 107 PID 2288 wrote to memory of 1576 2288 app.exe 107 PID 2288 wrote to memory of 1576 2288 app.exe 107 PID 2288 wrote to memory of 1576 2288 app.exe 107 PID 2288 wrote to memory of 1576 2288 app.exe 107 PID 2288 wrote to memory of 1576 2288 app.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\inv.exe"C:\Users\Admin\AppData\Local\Temp\inv.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\inv.exe" "C:\Users\Admin\Videos\app.exe"2⤵PID:3260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Videos\app.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\Videos\app.exe"C:\Users\Admin\Videos\app.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\Videos\app.exe"C:\Users\Admin\Videos\app.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC85C.tmp"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpCC64.tmp"5⤵
- Accesses Microsoft Outlook accounts
PID:1576
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD52ef5ef69dadb8865b3d5b58c956077b8
SHA1af2d869bac00685c745652bbd8b3fe82829a8998
SHA256363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3
SHA51266d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3
-
Filesize
4KB
MD573ddf6cd83c2ad8a2fbb2383e322ffbc
SHA105270f8bb7b5cc6ab9a61ae7453d047379089147
SHA2560ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409
SHA512714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d
-
Filesize
961KB
MD576531d39883b68c043629aa10630d089
SHA1824d18f09010dbaa411dbc6680e7e4bb7d7d646b
SHA256ace8278c3113b551c6f87599c9a7d64724b55293fc64312a8c042585b07f75f8
SHA5127cef89bff08fc07a31c63e20310e9bc75f12c53f4480ba4c9c9fb218af2e86e5881683c45696b3afab7c91223b45622b953c547a1eccbbf04b00756cdc29a9c1