m00nd3v_logger | f98bb09a67afe83ca7b041488f460d2a8b96224d77f21117d5b0076e04706dd4

General

Target

8r9tVWwqo5U1Myj.exe
Size

774KB
MD5

da562b863edb03d976b5ba170ecb2961
SHA1

561696a793ce3ef7f39ca1045a034dd08ec3e7f1
SHA256

f98bb09a67afe83ca7b041488f460d2a8b96224d77f21117d5b0076e04706dd4
SHA512

41a7a86f71851e0a5ef6244fd33b25108209d6c0477a00b56539a2773ab497dca5c34dda693a8bf77ab3355b48c8096c6eff51be577a468a754cfa87bdbdbfa4

Score

10^/10

spyware stealer m00nd3v_logger keylogger trojan hawkeye_reborn

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.0.0

Credentials

Protocol: smtp
Host:
mail.prismindia.in
Port:
587
Username:
[email protected]
Password:
Stencil1@

Mutex

236e7cc8-2338-48a0-99ee-d911950fa78d

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Stencil1@ _EmailPort:587 _EmailSSL:false _EmailServer:mail.prismindia.in _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10080 _MeltFile:false _Mutex:236e7cc8-2338-48a0-99ee-d911950fa78d _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.0.0, Culture=neutral, PublicKeyToken=null

Signatures

Suspicious use of SetThreadContext 3 IoCs

Processes:

8r9tVWwqo5U1Myj.exe8r9tVWwqo5U1Myj.exe

description	pid	process	target process
PID 980 set thread context of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 1732 set thread context of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 set thread context of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8r9tVWwqo5U1Myj.exe

description pid process

Token: SeDebugPrivilege 980 8r9tVWwqo5U1Myj.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

8r9tVWwqo5U1Myj.exevbc.exe

pid process

980 8r9tVWwqo5U1Myj.exe
3360 vbc.exe
3360 vbc.exe
3360 vbc.exe
3360 vbc.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 bot.whatismyipaddress.com
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

description	pid	process
Token: SeDebugPrivilege	980	8r9tVWwqo5U1Myj.exe

pid	process
980	8r9tVWwqo5U1Myj.exe
3360	vbc.exe
3360	vbc.exe
3360	vbc.exe
3360	vbc.exe

flow	ioc
7	bot.whatismyipaddress.com

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

8r9tVWwqo5U1Myj.exe8r9tVWwqo5U1Myj.exe

description	pid	process	target process
PID 980 wrote to memory of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 980 wrote to memory of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 980 wrote to memory of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 980 wrote to memory of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 980 wrote to memory of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 980 wrote to memory of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 980 wrote to memory of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 980 wrote to memory of 1732	980	8r9tVWwqo5U1Myj.exe	8r9tVWwqo5U1Myj.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3360	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe
PID 1732 wrote to memory of 3408	1732	8r9tVWwqo5U1Myj.exe	vbc.exe

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/1732-0-0x0000000000400000-0x00000000004AA000-memory.dmp	m00nd3v_logger

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

C:\Users\Admin\AppData\Local\Temp\8r9tVWwqo5U1Myj.exe
"C:\Users\Admin\AppData\Local\Temp\8r9tVWwqo5U1Myj.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\8r9tVWwqo5U1Myj.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpAF65.tmp"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpB37D.tmp"
3⤵
PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAF65.tmp

Download Submit
memory/1732-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1732-1-0x00000000004A557E-mapping.dmp

Download
memory/3360-2-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3360-3-0x0000000000447D8A-mapping.dmp

Download
memory/3360-4-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3408-6-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3408-7-0x000000000044412E-mapping.dmp

Download
memory/3408-8-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads