m00nd3v_logger | aed18091e44bb1a45419cd55517018c839a4c3463921c45b87f5ed7620a9a0c2

General

Target

payment detailes.exe
Size

777KB
MD5

895eb79d01fa3ea5fe46f8341691244e
SHA1

41837184e9aef1d339ecc62cc1923b88d518ddcf
SHA256

aed18091e44bb1a45419cd55517018c839a4c3463921c45b87f5ed7620a9a0c2
SHA512

ff53844c17974c67c2fc63a3c956429833333ee932b074266052787fbcbda67d915e79a7e1c1df1dec363512c2a1433c7d8ea8f1b455e8b40ad71cd7af788b89

Score

10^/10

spyware stealer m00nd3v_logger keylogger trojan hawkeye_reborn

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

Protocol: smtp
Host:
mail.bnfurniture.net
Port:
587
Username:
[email protected]
Password:
BNF!vloc.146

Mutex

e8d9ca92-733e-4f3e-93ae-f2671efb738d

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:BNF!vloc.146 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bnfurniture.net _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10080 _MeltFile:false _Mutex:e8d9ca92-733e-4f3e-93ae-f2671efb738d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Signatures

Suspicious use of SetThreadContext 2 IoCs

Processes:

payment detailes.exeRegAsm.exe

description	pid	process	target process
PID 1448 set thread context of 932	1448	payment detailes.exe	RegAsm.exe
PID 932 set thread context of 1816	932	RegAsm.exe	vbc.exe

M00nD3v Logger Payload 3 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/932-0-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger
behavioral1/memory/932-2-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger
behavioral1/memory/932-3-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

payment detailes.exeRegAsm.exe

description	pid	process	target process
PID 1448 wrote to memory of 932	1448	payment detailes.exe	RegAsm.exe
PID 1448 wrote to memory of 932	1448	payment detailes.exe	RegAsm.exe
PID 1448 wrote to memory of 932	1448	payment detailes.exe	RegAsm.exe
PID 1448 wrote to memory of 932	1448	payment detailes.exe	RegAsm.exe
PID 1448 wrote to memory of 932	1448	payment detailes.exe	RegAsm.exe
PID 1448 wrote to memory of 932	1448	payment detailes.exe	RegAsm.exe
PID 1448 wrote to memory of 932	1448	payment detailes.exe	RegAsm.exe
PID 1448 wrote to memory of 932	1448	payment detailes.exe	RegAsm.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe
PID 932 wrote to memory of 1816	932	RegAsm.exe	vbc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

payment detailes.exe

pid process

1448 payment detailes.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1816 vbc.exe
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

pid	process
1448	payment detailes.exe

pid	process
1816	vbc.exe

C:\Users\Admin\AppData\Local\Temp\payment detailes.exe
"C:\Users\Admin\AppData\Local\Temp\payment detailes.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6141.tmp

Download Submit
memory/932-1-0x00000000004A557E-mapping.dmp

Download
memory/932-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/932-2-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/932-3-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/932-4-0x00000000006A0000-0x00000000006B1000-memory.dmp

Filesize
68KB

Download
memory/1816-9-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1816-10-0x0000000000447D8A-mapping.dmp

Download
memory/1816-11-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads