hawkeye_reborn | 5ceedeaa99b65c724e1e4356bd44d8ec58b9834e526c223e39e554f93ec25d1b

General

Target

dozy.exe
Size

667KB
MD5

7754369bab0f70691cec43b5598cd78d
SHA1

4db33cb39a15aa69c433a05f241ac0a1f9ebe982
SHA256

5ceedeaa99b65c724e1e4356bd44d8ec58b9834e526c223e39e554f93ec25d1b
SHA512

41e9549ae747e76c0e05b043d2808ba77efd7b72c6a5ee45efd241eb452430c4b9e8627c7386a1bbb62e26110c7c1a9bd0678fe6b4d51674aed733e815923081

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
magagraceman@yandex.ru
Password:
tonero4417

Mutex

77c85b77-5c8c-4fe1-981b-0be5656136a8

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:tonero4417 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.ru _EmailUsername:magagraceman@yandex.ru _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:70 _MeltFile:false _Mutex:77c85b77-5c8c-4fe1-981b-0be5656136a8 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 2 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/672-0-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral2/memory/672-1-0x000000000048A1DE-mapping.dmp	m00nd3v_logger

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

dozy.exe

description pid process target process

PID 1080 set thread context of 672 1080 dozy.exe dozy.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dozy.exe

pid process

672 dozy.exe
672 dozy.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dozy.exe

description pid process

Token: SeDebugPrivilege 672 dozy.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dozy.exe

pid process

672 dozy.exe

flow	ioc
20	bot.whatismyipaddress.com

description	pid	process	target process
PID 1080 set thread context of 672	1080	dozy.exe	dozy.exe

pid	process
672	dozy.exe
672	dozy.exe

description	pid	process
Token: SeDebugPrivilege	672	dozy.exe

pid	process
672	dozy.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dozy.exe

description	pid	process	target process
PID 1080 wrote to memory of 672	1080	dozy.exe	dozy.exe
PID 1080 wrote to memory of 672	1080	dozy.exe	dozy.exe
PID 1080 wrote to memory of 672	1080	dozy.exe	dozy.exe
PID 1080 wrote to memory of 672	1080	dozy.exe	dozy.exe
PID 1080 wrote to memory of 672	1080	dozy.exe	dozy.exe
PID 1080 wrote to memory of 672	1080	dozy.exe	dozy.exe
PID 1080 wrote to memory of 672	1080	dozy.exe	dozy.exe
PID 1080 wrote to memory of 672	1080	dozy.exe	dozy.exe

C:\Users\Admin\AppData\Local\Temp\dozy.exe
"C:\Users\Admin\AppData\Local\Temp\dozy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\dozy.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dozy.exe.log
MD5
ef140ef600b2463c9e7dbf064a104046

SHA1
c08fd1853877be95575ea2e860dd8cafef31f54c

SHA256
ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616

SHA512
bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c

Download Submit
memory/672-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/672-1-0x000000000048A1DE-mapping.dmp

Download

Analysis

Sharing