m00nd3v_logger | 1bb034cbd16394a007729ff3099c124f7b39b696b5e1db3d5078def6f8437d82

General

Target

SWIFT.exe
Size

867KB
MD5

8a0a2bca0b3d798daf56d1e05a6ace87
SHA1

c9ed1cb1c822c444626f4252ec07813e08d18286
SHA256

1bb034cbd16394a007729ff3099c124f7b39b696b5e1db3d5078def6f8437d82
SHA512

58a7ccc1129894a50f52022eb5d97ac2d1b1603b53ed63b1c763996bb47f6bae99565c52570dd7ef5a4846b357d8329ff1af167655e20ad0b1303c020ef66f0e

Score

10^/10

spyware stealer m00nd3v_logger keylogger trojan hawkeye_reborn

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.djindustries.net
Port:
587
Username:
[email protected]
Password:
dj123

Mutex

7c6f1211-8a47-40f9-9379-74b0ebf28256

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:dj123 _EmailPort:587 _EmailSSL:false _EmailServer:mail.djindustries.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:7c6f1211-8a47-40f9-9379-74b0ebf28256 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

SWIFT.exeRegSvcs.exe

description	pid	process	target process
PID 3768 wrote to memory of 2532	3768	SWIFT.exe	schtasks.exe
PID 3768 wrote to memory of 2532	3768	SWIFT.exe	schtasks.exe
PID 3768 wrote to memory of 2532	3768	SWIFT.exe	schtasks.exe
PID 3768 wrote to memory of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3768 wrote to memory of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3768 wrote to memory of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3768 wrote to memory of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3768 wrote to memory of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3768 wrote to memory of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3768 wrote to memory of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3768 wrote to memory of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe
PID 3012 wrote to memory of 3572	3012	RegSvcs.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

vbc.exeRegSvcs.exe

pid	process
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3576	vbc.exe
3012	RegSvcs.exe
3012	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3012 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3012	RegSvcs.exe

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/3012-2-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2532 schtasks.exe

pid	process
2532	schtasks.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SWIFT.exeRegSvcs.exe

description	pid	process	target process
PID 3768 set thread context of 3012	3768	SWIFT.exe	RegSvcs.exe
PID 3012 set thread context of 3576	3012	RegSvcs.exe	vbc.exe
PID 3012 set thread context of 3572	3012	RegSvcs.exe	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

3012 RegSvcs.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 bot.whatismyipaddress.com

pid	process
3012	RegSvcs.exe

flow	ioc
7	bot.whatismyipaddress.com

C:\Users\Admin\AppData\Local\Temp\SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mntgpSEljR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C77.tmp"
2⤵
- Creates scheduled task(s)
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpBD99.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC5E7.tmp"
3⤵
PID:3572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8C77.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD99.tmp

Download Submit
memory/2532-0-0x0000000000000000-mapping.dmp

Download
memory/3012-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3012-3-0x000000000048B2FE-mapping.dmp

Download
memory/3572-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3572-9-0x000000000041211A-mapping.dmp

Download
memory/3572-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3576-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3576-5-0x000000000044472E-mapping.dmp

Download
memory/3576-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads